From 9a2c9dc0f3287b35e03bf48674c7ef57411ffe87 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Tue, 1 Jun 2021 19:56:52 +0800 Subject: [PATCH 1/2] fix: deny non-GET requests from RP and SP domains --- src/app/modules/auth/auth.middlewares.ts | 34 +++++++++++++++++++ .../api/v3/admin/forms/admin-forms.routes.ts | 6 +++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/app/modules/auth/auth.middlewares.ts b/src/app/modules/auth/auth.middlewares.ts index 2ed57b4f53..89070f4523 100644 --- a/src/app/modules/auth/auth.middlewares.ts +++ b/src/app/modules/auth/auth.middlewares.ts @@ -1,6 +1,7 @@ import { StatusCodes } from 'http-status-codes' import { ControllerHandler } from '../core/core.types' +import * as UserService from '../user/user.service' import { isUserInSession } from './auth.utils' @@ -19,3 +20,36 @@ export const withUserAuthentication: ControllerHandler = (req, res, next) => { .status(StatusCodes.UNAUTHORIZED) .json({ message: 'User is unauthorized.' }) } + +const DENIED_DOMAINS = ['myrp.edu.sg', 'ichat.sp.edu.sg'] + +/** + * If user is from a domain which should not have been whitelisted, + * do not allow any updates. Only allow GET requests, eg to access + * submissions. + * @returns 400 if user in session is from a disallowed domain and + * HTTP method changes database state; next otherwise + */ +export const denyRpSpStudentEmails: ControllerHandler< + unknown, + unknown, + unknown +> = async (req, res, next) => { + const userId = (req.session as Express.AuthedSession).user._id + return UserService.findUserById(userId) + .map((user) => { + const emailDomain = user.email.split('@').pop() ?? '' + if ( + DENIED_DOMAINS.includes(emailDomain.toLowerCase()) && + req.method.toLowerCase() !== 'get' + ) { + return res.sendStatus(StatusCodes.BAD_REQUEST) + } + return next() + }) + .mapErr(() => + res + .status(StatusCodes.UNPROCESSABLE_ENTITY) + .json({ message: 'User not found' }), + ) +} diff --git a/src/app/routes/api/v3/admin/forms/admin-forms.routes.ts b/src/app/routes/api/v3/admin/forms/admin-forms.routes.ts index 183f2a8a8f..4fa0f2b9ba 100644 --- a/src/app/routes/api/v3/admin/forms/admin-forms.routes.ts +++ b/src/app/routes/api/v3/admin/forms/admin-forms.routes.ts @@ -1,6 +1,9 @@ import { Router } from 'express' -import { withUserAuthentication } from '../../../../../modules/auth/auth.middlewares' +import { + denyRpSpStudentEmails, + withUserAuthentication, +} from '../../../../../modules/auth/auth.middlewares' import { AdminFormsFeedbackRouter } from './admin-forms.feedback.routes' import { AdminFormsFormRouter } from './admin-forms.form.routes' @@ -14,6 +17,7 @@ export const AdminFormsRouter = Router() // All routes in this handler should be protected by authentication. AdminFormsRouter.use(withUserAuthentication) +AdminFormsRouter.use(denyRpSpStudentEmails) AdminFormsRouter.use(AdminFormsSettingsRouter) AdminFormsRouter.use(AdminFormsFeedbackRouter) From 6c415d210186e9e797ca839a010032b469d6e9c4 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Tue, 1 Jun 2021 20:25:57 +0800 Subject: [PATCH 2/2] chore: bump version to 5.12.1 --- CHANGELOG.md | 12 ++++++++++-- package-lock.json | 2 +- package.json | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3628247b8e..b1c256968e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,14 @@ All notable changes to this project will be documented in this file. Dates are d Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). +#### [v5.12.1](https://github.com/opengovsg/FormSG/compare/v5.12.0...v5.12.1) + +- fix: deny non-GET requests from RP and SP domains [`9a2c9dc`](https://github.com/opengovsg/FormSG/commit/9a2c9dc0f3287b35e03bf48674c7ef57411ffe87) + #### [v5.12.0](https://github.com/opengovsg/FormSG/compare/v5.11.0...v5.12.0) +> 1 June 2021 + - build: upgrade application node version to v14 (by updating Docker image) [`#2038`](https://github.com/opengovsg/FormSG/pull/2038) - feat: Deduplicate Mongodb Error Messages [`#1996`](https://github.com/opengovsg/FormSG/pull/1996) - ref: remove usage of express-serve-static-core types (ParamsDictionary, Query) [`#1848`](https://github.com/opengovsg/FormSG/pull/1848) @@ -38,6 +44,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). - fix: add types to RequestHandler in submitEncryptModeForm [`#1889`](https://github.com/opengovsg/FormSG/pull/1889) - chore: merge v5.11.0 into develop [`#1969`](https://github.com/opengovsg/FormSG/pull/1969) - fix(verification): loosen OTP waiting time by 2 seconds [`#1957`](https://github.com/opengovsg/FormSG/pull/1957) +- chore: bump version to 5.12.0 [`85759bc`](https://github.com/opengovsg/FormSG/commit/85759bc9dc01f73da3cbd0ec73c636e58e983948) #### [v5.11.0](https://github.com/opengovsg/FormSG/compare/v5.10.0...v5.11.0) @@ -153,13 +160,14 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). - chore(deps-dev): bump @typescript-eslint/eslint-plugin [`#1790`](https://github.com/opengovsg/FormSG/pull/1790) - feat(api-refactor): add specific update end page endpoint in server [`#1760`](https://github.com/opengovsg/FormSG/pull/1760) - feat: move server.ts into src/app [`#1785`](https://github.com/opengovsg/FormSG/pull/1785) +- fix: trigger digest cycle for delete logic [`#1787`](https://github.com/opengovsg/FormSG/pull/1787) +- chore: bump version to 5.9.0 [`6d6e475`](https://github.com/opengovsg/FormSG/commit/6d6e475c417cfb5efacb203888b0f296159d8ac1) - chore: bump version to v5.10.0 [`0615ce5`](https://github.com/opengovsg/FormSG/commit/0615ce5262fcdb65932ad6c9be9ee66503b0e949) #### [v5.9.0](https://github.com/opengovsg/FormSG/compare/v5.8.0...v5.9.0) > 4 May 2021 -- fix: trigger digest cycle for delete logic [`#1787`](https://github.com/opengovsg/FormSG/pull/1787) - fix: allow commas in email confirmation sender [`#1782`](https://github.com/opengovsg/FormSG/pull/1782) - chore(deps-dev): bump core-js from 3.11.1 to 3.11.2 [`#1780`](https://github.com/opengovsg/FormSG/pull/1780) - fix(deps): bump fp-ts from 2.10.4 to 2.10.5 [`#1781`](https://github.com/opengovsg/FormSG/pull/1781) @@ -184,7 +192,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog). - fix(deps): bump aws-sdk from 2.893.0 to 2.894.0 [`#1756`](https://github.com/opengovsg/FormSG/pull/1756) - fix(deps): bump @sentry/integrations from 6.3.1 to 6.3.3 [`#1755`](https://github.com/opengovsg/FormSG/pull/1755) - chore: merge v5.8.0 into develop [`#1751`](https://github.com/opengovsg/FormSG/pull/1751) -- chore: bump version to 5.9.0 [`6d6e475`](https://github.com/opengovsg/FormSG/commit/6d6e475c417cfb5efacb203888b0f296159d8ac1) +- chore: bump version to 5.9.0 [`902fd6a`](https://github.com/opengovsg/FormSG/commit/902fd6a764e94bd0882ca1f7bebb3e79f916c9f3) #### [v5.8.0](https://github.com/opengovsg/FormSG/compare/v5.7.1...v5.8.0) diff --git a/package-lock.json b/package-lock.json index 23d2b198cc..49d9bbd8d3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "FormSG", - "version": "5.12.0", + "version": "5.12.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 1ca105b797..b9692103b8 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "FormSG", "description": "Form Manager for Government", - "version": "5.12.0", + "version": "5.12.1", "homepage": "https://form.gov.sg", "authors": [ "FormSG "