Pcq 1986 (#1283)

* PCQ-1986 whitelisting URL --------- Co-authored-by: Martin Spasov <[email protected]>
hmcts · Dec 2, 2024 · 1f265d7 · 1f265d7
1 parent ef10133
commit 1f265d7
Show file tree

Hide file tree

Showing 7 changed files with 430 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -114,6 +114,8 @@ Add `content["list2-<service-name>"]` to the 2 unordered lists.
 If there are questions you want to be excluded from the questionnaire because they are irrelevant (such as asking someone if they are married when coming from the divorce app), 
 please see the [Journey README](app/journeys/README.md) for creating a service specific journey.
 
+Check if service returnURL on production and other envirnments are  whitelisted in [string-utils.js] (app/components)
+
 ### Token key 
 
 A new token key will need to be added in order to generate the token that authenticates the invoking service with PCQ.
@@ -150,6 +152,7 @@ The following change need to made so that test will pass.
 5. Add the new service invoker data in (test/unit/services/testServiceInvokerData.json)
 
 
+
 ## License
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE.md) file for details.
diff --git a/app/components/string-utils.js b/app/components/string-utils.js
@@ -5,9 +5,40 @@ const prefixHttps = (url = '') => {
     if (!(/^(?:f|ht)tps?:\/\//).test(url)) {
         url = 'https://' + url;
     }
+    if(!isUrlWhitelisted(url)){
+        url = '';
+    }
     return url;
 };
 
+function isUrlWhitelisted(url) {
+    try {
+        // Parse the URL and extract the hostname
+        const { hostname } = new URL(url);
+
+        // Define the whitelisted domains and prefixes
+        const whitelistedDomains = [
+            'service.gov.uk',
+            'cjscp.org.uk',
+            'platform.hmcts.net',
+            'staging.apps.hmcts.net',
+            'test.gov.uk',
+        ];
+        const whitelistedPrefixes = ['https://localhost', 'http://localhost'];
+
+        // Check if the hostname matches any of the whitelisted domains
+        const isDomainWhitelisted = whitelistedDomains.some(domain => hostname.endsWith(domain));
+
+        // Check if the hostname starts with any of the whitelisted prefixes
+        const isPrefixWhitelisted = whitelistedPrefixes.some(prefix => url.startsWith(prefix));
+
+        return isDomainWhitelisted || isPrefixWhitelisted;
+    } catch (e) {
+        // Return false if the URL is invalid
+        return false;
+    }
+}
+
 module.exports = {
     prefixHttps
 };
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "protected-characteristics-frontend",
   "description": "Protected Characteristics web app",
-  "version": "1.2.199",
+  "version": "1.2.200",
   "license": "MIT",
   "engines": {
     "node": ">=14.18.1"

diff --git a/test/end-to-end/smoke/smoketest.js b/test/end-to-end/smoke/smoketest.js
@@ -14,7 +14,7 @@ const params = {
     pcqId: uuidv4(),
     ccdCaseId: '1234567890123456',
     partyId: '[email protected]',
-    returnUrl: 'dummy-return-url',
+    returnUrl: 'dummy.test.gov.uk',
     language: 'en'
 };
 params.token = generateToken(params).token;