From c05a4fb86deae00a6eb772fa5684118544fda488 Mon Sep 17 00:00:00 2001 From: Sandhya1874 <39799075+Sandhya1874@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:49:50 +0000 Subject: [PATCH 1/5] Added documentation ref for creating new service in README.md (#480) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index eb34dfe2..59f1d833 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Our security policy is located [here](https://github.com/ministryofjustice/hmpps More information about the template project including features can be found [here](https://dsdmoj.atlassian.net/wiki/spaces/NDSS/pages/3488677932/Typescript+template+project). +Documentation to create new service is located [here](https://tech-docs.hmpps.service.justice.gov.uk/applicationplatform/newservice-GHA/). + ## Creating a Cloud Platform namespace When deploying to a new namespace, you may wish to use the From 23e6b87760e376365838b38b32d16fef52708ec5 Mon Sep 17 00:00:00 2001 From: Sandhya1874 <39799075+Sandhya1874@users.noreply.github.com> Date: Mon, 18 Nov 2024 09:26:39 +0000 Subject: [PATCH 2/5] Removed circleci config update (#482) * Removed circleci config update * Update rename-project.bash --- rename-project.bash | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rename-project.bash b/rename-project.bash index d2edf7e3..3299b252 100755 --- a/rename-project.bash +++ b/rename-project.bash @@ -68,13 +68,18 @@ sed -i -z -E \ -e "s/PROD_ALERTS_SEVERITY_LABEL/$PROD_ALERTS_SEVERITY_LABEL/" \ helm_deploy/values-prod.yaml -# change cron job to be random time otherwise we hit rate limiting with veracode -RANDOM_HOUR=$((RANDOM % (9 - 3 + 1) + 3)) -RANDOM_MINUTE=$(($RANDOM%60)) -RANDOM_MINUTE2=$(($RANDOM%60)) -sed -i -z -E \ - -e "s/SLACK_RELEASES_CHANNEL/$SLACK_RELEASES_CHANNEL/" \ - .circleci/config.yml +echo "NEEDS TO BE SET MANUALLY" +echo "========================" +echo "DAILY CRON: ${RANDOM_MINUTE} ${RANDOM_HOUR}" +echo "WEEKLY CRON: ${RANDOM_MINUTE2} ${RANDOM_HOUR}" +echo "SLACK CHANNEL: ${SECURITY_ALERTS_SLACK_CHANNEL_ID}" + +# TEMPORARILY REMOVED - THIS WILL NEED TO BE DONE MANUALLY UNTIL WE MOVE TO GITHUB ACTIONS BOOTSTRAP +# sed -i -z -E \ +# -e "s/on:\n workflow_dispatch:\n schedule:\n - cron: \"19 6/on:\n workflow_dispatch:\n schedule:\n - cron: \"$RANDOM_MINUTE $RANDOM_HOUR/" \ +# -e "s/on:\n workflow_dispatch:\n schedule:\n - cron: \"34 6/on:\n workflow_dispatch:\n schedule:\n - cron: \"$RANDOM_MINUTE2 $RANDOM_HOUR/" \ +# -e "s/C05J915DX0Q/$SECURITY_ALERTS_SLACK_CHANNEL_ID/" \ +# .github/workflows/* # lastly remove ourselves rm rename-project.bash From bc29a1302159d64dc6bf7b431d77a81edfdb4488 Mon Sep 17 00:00:00 2001 From: James Reed <109068236+ReedSoftware@users.noreply.github.com> Date: Mon, 18 Nov 2024 10:09:06 +0000 Subject: [PATCH 3/5] feat: replace csurf with csrf-sync (#481) --- package-lock.json | 100 +++------------------------------ package.json | 8 +-- server/middleware/setUpCsrf.ts | 14 ++++- 3 files changed, 20 insertions(+), 102 deletions(-) diff --git a/package-lock.json b/package-lock.json index 84a42839..14712400 100644 --- a/package-lock.json +++ b/package-lock.json @@ -19,7 +19,7 @@ "compression": "^1.7.5", "connect-flash": "^0.1.1", "connect-redis": "^7.1.1", - "csurf": "^1.11.0", + "csrf-sync": "^4.0.3", "express": "^4.21.1", "express-session": "^1.18.1", "govuk-frontend": "^5.7.1", @@ -40,7 +40,6 @@ "@types/bunyan-format": "^0.2.9", "@types/compression": "^1.7.5", "@types/connect-flash": "0.0.40", - "@types/csurf": "^1.11.5", "@types/express-session": "^1.18.0", "@types/http-errors": "^2.0.4", "@types/jest": "^29.5.14", @@ -3211,15 +3210,6 @@ "integrity": "sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==", "dev": true }, - "node_modules/@types/csurf": { - "version": "1.11.5", - "resolved": "https://registry.npmjs.org/@types/csurf/-/csurf-1.11.5.tgz", - "integrity": "sha512-5rw87+5YGixyL2W8wblSUl5DSZi5YOlXE6Awwn2ofLvqKr/1LruKffrQipeJKUX44VaxKj8m5es3vfhltJTOoA==", - "dev": true, - "dependencies": { - "@types/express-serve-static-core": "*" - } - }, "node_modules/@types/express": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/@types/express/-/express-5.0.0.tgz", @@ -5166,76 +5156,13 @@ "node": "*" } }, - "node_modules/csrf": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz", - "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==", - "dependencies": { - "rndm": "1.2.0", - "tsscmp": "1.0.6", - "uid-safe": "2.1.5" - }, - "engines": { - "node": ">= 0.8" - } - }, - "node_modules/csurf": { - "version": "1.11.0", - "resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz", - "integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==", - "deprecated": "Please use another csrf package", - "dependencies": { - "cookie": "0.4.0", - "cookie-signature": "1.0.6", - "csrf": "3.1.0", - "http-errors": "~1.7.3" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/csurf/node_modules/depd": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", - "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==", - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/http-errors": { - "version": "1.7.3", - "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz", - "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==", + "node_modules/csrf-sync": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/csrf-sync/-/csrf-sync-4.0.3.tgz", + "integrity": "sha512-wXzltBBzt/7imzDt6ZT7G/axQG7jo4Sm0uXDUzFY8hR59qhDHdjqpW2hojS4oAVIZDzwlMQloIVCTJoDDh0wwA==", + "license": "ISC", "dependencies": { - "depd": "~1.1.2", - "inherits": "2.0.4", - "setprototypeof": "1.1.1", - "statuses": ">= 1.5.0 < 2", - "toidentifier": "1.0.0" - }, - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/setprototypeof": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.1.tgz", - "integrity": "sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw==" - }, - "node_modules/csurf/node_modules/statuses": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz", - "integrity": "sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==", - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/csurf/node_modules/toidentifier": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.0.tgz", - "integrity": "sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==", - "engines": { - "node": ">=0.6" + "http-errors": "^2.0.0" } }, "node_modules/cypress": { @@ -11562,11 +11489,6 @@ "node": "*" } }, - "node_modules/rndm": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz", - "integrity": "sha512-fJhQQI5tLrQvYIYFpOnFinzv9dwmR7hRnUz1XqP3OJ1jIweTNOd6aTO4jwQSgcBSFUB+/KHJxuGneime+FdzOw==" - }, "node_modules/run-parallel": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", @@ -12701,14 +12623,6 @@ "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.7.0.tgz", "integrity": "sha512-gLXCKdN1/j47AiHiOkJN69hJmcbGTHI0ImLmbYLHykhgeN0jVGola9yVjFgzCUklsZQMW55o+dW7IXv3RCXDzA==" }, - "node_modules/tsscmp": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz", - "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==", - "engines": { - "node": ">=0.6.x" - } - }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", diff --git a/package.json b/package.json index 75c90fb6..935c6614 100644 --- a/package.json +++ b/package.json @@ -86,7 +86,7 @@ "compression": "^1.7.5", "connect-flash": "^0.1.1", "connect-redis": "^7.1.1", - "csurf": "^1.11.0", + "csrf-sync": "^4.0.3", "express": "^4.21.1", "express-session": "^1.18.1", "govuk-frontend": "^5.7.1", @@ -107,7 +107,6 @@ "@types/bunyan-format": "^0.2.9", "@types/compression": "^1.7.5", "@types/connect-flash": "0.0.40", - "@types/csurf": "^1.11.5", "@types/express-session": "^1.18.0", "@types/http-errors": "^2.0.4", "@types/jest": "^29.5.14", @@ -153,10 +152,5 @@ "supertest": "^7.0.0", "ts-jest": "^29.2.5", "typescript": "^5.6.3" - }, - "overrides": { - "csurf": { - "cookie": "0.7.2" - } } } diff --git a/server/middleware/setUpCsrf.ts b/server/middleware/setUpCsrf.ts index 6f9a1a54..e736173e 100644 --- a/server/middleware/setUpCsrf.ts +++ b/server/middleware/setUpCsrf.ts @@ -1,5 +1,5 @@ import { Router } from 'express' -import csurf from 'csurf' +import { csrfSync } from 'csrf-sync' const testMode = process.env.NODE_ENV === 'test' @@ -8,7 +8,17 @@ export default function setUpCsrf(): Router { // CSRF protection if (!testMode) { - router.use(csurf()) + const { + csrfSynchronisedProtection, // This is the default CSRF protection middleware. + } = csrfSync({ + // By default, csrf-sync uses x-csrf-token header, but we use the token in forms and send it in the request body, so change getTokenFromRequest so it grabs from there + getTokenFromRequest: req => { + // eslint-disable-next-line no-underscore-dangle + return req.body._csrf + }, + }) + + router.use(csrfSynchronisedProtection) } router.use((req, res, next) => { From 0581f53649d4d72d9dee99d2a6b0ae5d23d50e46 Mon Sep 17 00:00:00 2001 From: Andrew Lee <1517745+andrewrlee@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:01:57 +0000 Subject: [PATCH 4/5] Update CHANGELOG.md (#483) --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 608a9a19..d8c732d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Change log +**November 18th 2024** - Moving away from csurf and to csrf-sync + +[csurf](https://www.npmjs.com/package/csurf) has been deprecated for some time and this removes that dependency and implements the [synchronizer token pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#transmissing-csrf-tokens-in-synchronized-patterns) using [csrf-sync](https://www.npmjs.com/package/csrf-sync). + +**Note:** Previously csurf used to generate new tokens on every request. The new library generates tokens once per session which is preferrable due to the extra calls to redis that per-request would generate. It is possible to force a refresh/revocation of a token by explicitly calling: `req.csrfToken(true)` + +See PR [#481](https://github.com/ministryofjustice/hmpps-template-typescript/pull/481) + **November 5th 2024** - Disable 301 redirects on missing static content folders Previously a non-existent static resource returned a 301 without the appropriate CSP response header. From 06eefd6b170730788490c5433db2d813d35d1ebd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 07:59:42 +0000 Subject: [PATCH 5/5] chore(deps): update helm release generic-service to 3.7 (#484) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- helm_deploy/hmpps-template-typescript/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm_deploy/hmpps-template-typescript/Chart.yaml b/helm_deploy/hmpps-template-typescript/Chart.yaml index bd56bb9e..5e67c932 100644 --- a/helm_deploy/hmpps-template-typescript/Chart.yaml +++ b/helm_deploy/hmpps-template-typescript/Chart.yaml @@ -5,7 +5,7 @@ name: hmpps-template-typescript version: 0.2.0 dependencies: - name: generic-service - version: "3.6" + version: "3.7" repository: https://ministryofjustice.github.io/hmpps-helm-charts - name: generic-prometheus-alerts version: "1.11"