Merge branch 'main' into renovate-all-npm-minor-patch

ministryofjustice · Nov 19, 2024 · 66fefb4 · 66fefb4
2 parents 7a63779 + 06eefd6
commit 66fefb4
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 110 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change log
 
+**November 18th 2024** - Moving away from csurf and to csrf-sync
+
+[csurf](https://www.npmjs.com/package/csurf) has been deprecated for some time and this removes that dependency and implements the [synchronizer token pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns) using [csrf-sync](https://www.npmjs.com/package/csrf-sync).
+
+**Note:** Previously csurf used to generate new tokens on every request. The new library generates tokens once per session which is preferrable due to the extra calls to redis that per-request would generate. It is possible to force a refresh/revocation of a token by explicitly calling: `req.csrfToken(true)`  
+
+See PR [#481](https://github.com/ministryofjustice/hmpps-template-typescript/pull/481)
+
 **November 5th 2024** - Disable 301 redirects on missing static content folders
 
 Previously a non-existent static resource returned a 301 without the appropriate CSP response header.

diff --git a/README.md b/README.md
@@ -19,6 +19,8 @@ Our security policy is located [here](https://github.com/ministryofjustice/hmpps
 More information about the template project including features can be
 found [here](https://dsdmoj.atlassian.net/wiki/spaces/NDSS/pages/3488677932/Typescript+template+project).
 
+Documentation to create new service is located [here](https://tech-docs.hmpps.service.justice.gov.uk/applicationplatform/newservice-GHA/).
+
 ## Creating a Cloud Platform namespace
 
 When deploying to a new namespace, you may wish to use the

diff --git a/helm_deploy/hmpps-template-typescript/Chart.yaml b/helm_deploy/hmpps-template-typescript/Chart.yaml
@@ -5,7 +5,7 @@ name: hmpps-template-typescript
 version: 0.2.0
 dependencies:
   - name: generic-service
-    version: "3.6"
+    version: "3.7"
     repository: https://ministryofjustice.github.io/hmpps-helm-charts
   - name: generic-prometheus-alerts
     version: "1.11"

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -86,7 +86,7 @@
     "compression": "^1.7.5",
     "connect-flash": "^0.1.1",
     "connect-redis": "^7.1.1",
-    "csurf": "^1.11.0",
+    "csrf-sync": "^4.0.3",
     "express": "^4.21.1",
     "express-session": "^1.18.1",
     "govuk-frontend": "^5.7.1",
@@ -107,7 +107,6 @@
     "@types/bunyan-format": "^0.2.9",
     "@types/compression": "^1.7.5",
     "@types/connect-flash": "0.0.40",
-    "@types/csurf": "^1.11.5",
     "@types/express-session": "^1.18.0",
     "@types/http-errors": "^2.0.4",
     "@types/jest": "^29.5.14",
@@ -153,10 +152,5 @@
     "supertest": "^7.0.0",
     "ts-jest": "^29.2.5",
     "typescript": "^5.6.3"
-  },
-  "overrides": {
-    "csurf": {
-      "cookie": "0.7.2"
-    }
   }
 }
diff --git a/rename-project.bash b/rename-project.bash
@@ -68,13 +68,18 @@ sed -i -z -E \
   -e "s/PROD_ALERTS_SEVERITY_LABEL/$PROD_ALERTS_SEVERITY_LABEL/" \
   helm_deploy/values-prod.yaml
 
-# change cron job to be random time otherwise we hit rate limiting with veracode
-RANDOM_HOUR=$((RANDOM % (9 - 3 + 1) + 3))
-RANDOM_MINUTE=$(($RANDOM%60))
-RANDOM_MINUTE2=$(($RANDOM%60))
-sed -i -z -E \
-  -e "s/SLACK_RELEASES_CHANNEL/$SLACK_RELEASES_CHANNEL/" \
-  .circleci/config.yml
+echo "NEEDS TO BE SET MANUALLY"
+echo "========================"
+echo "DAILY CRON:    ${RANDOM_MINUTE} ${RANDOM_HOUR}"
+echo "WEEKLY CRON:   ${RANDOM_MINUTE2} ${RANDOM_HOUR}"
+echo "SLACK CHANNEL: ${SECURITY_ALERTS_SLACK_CHANNEL_ID}"
+
+# TEMPORARILY REMOVED - THIS WILL NEED TO BE DONE MANUALLY UNTIL WE MOVE TO GITHUB ACTIONS BOOTSTRAP
+# sed -i -z -E \
+#   -e "s/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"19 6/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"$RANDOM_MINUTE $RANDOM_HOUR/" \
+#   -e "s/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"34 6/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"$RANDOM_MINUTE2 $RANDOM_HOUR/" \
+#   -e "s/C05J915DX0Q/$SECURITY_ALERTS_SLACK_CHANNEL_ID/" \
+#   .github/workflows/*
 
 # lastly remove ourselves
 rm rename-project.bash

diff --git a/server/middleware/setUpCsrf.ts b/server/middleware/setUpCsrf.ts
@@ -1,5 +1,5 @@
 import { Router } from 'express'
-import csurf from 'csurf'
+import { csrfSync } from 'csrf-sync'
 
 const testMode = process.env.NODE_ENV === 'test'
 
@@ -8,7 +8,17 @@ export default function setUpCsrf(): Router {
 
   // CSRF protection
   if (!testMode) {
-    router.use(csurf())
+    const {
+      csrfSynchronisedProtection, // This is the default CSRF protection middleware.
+    } = csrfSync({
+      // By default, csrf-sync uses x-csrf-token header, but we use the token in forms and send it in the request body, so change getTokenFromRequest so it grabs from there
+      getTokenFromRequest: req => {
+        // eslint-disable-next-line no-underscore-dangle
+        return req.body._csrf
+      },
+    })
+
+    router.use(csrfSynchronisedProtection)
   }
 
   router.use((req, res, next) => {