Merge pull request #12237 from bbc/1475-reduce-injection-attack

WSTEAM1-1475 Reduce risk of injection attack via page url
bbc · Dec 16, 2024 · 44ce62e · 44ce62e
2 parents 407d290 + 4b194bb
commit 44ce62e
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/ws-nextjs-app/utilities/pageRequests/getPageData.test.ts b/ws-nextjs-app/utilities/pageRequests/getPageData.test.ts
@@ -1,5 +1,6 @@
 import * as fetchPageData from '#app/routes/utils/fetchPageData';
 import * as getToggles from '#app/lib/utilities/getToggles';
+import * as fetchDataFromBFF from '#app/routes/utils/fetchDataFromBFF';
 import getPageData from './getPageData';
 
 const agent = { cert: 'cert', ca: 'ca', key: 'key' };
@@ -43,6 +44,36 @@ describe('getPageData', () => {
       expect(actualToggles).toStrictEqual(toggleResponse);
     });
 
+    it('Cleans malicious query parameters', async () => {
+      const fetchDataResponse = { title: 'UGC Form Title!' };
+
+      const toggleResponse = {
+        toggles: { testToggle: { enabled: true } },
+      };
+
+      jest.spyOn(fetchPageData, 'default').mockResolvedValue({
+        status: 200,
+        json: { data: fetchDataResponse },
+      });
+
+      jest.spyOn(getToggles, 'default').mockResolvedValue(toggleResponse);
+
+      const fetchDataFromBFFSpy = jest.spyOn(fetchDataFromBFF, 'default');
+
+      await getPageData({
+        id: 'u50853489',
+        service: 'mundo',
+        variant: undefined,
+        rendererEnv: 'live&evilParam=evil',
+        resolvedUrl: '/mundo/send/u50853489',
+        pageType: 'ugcForm',
+      });
+
+      expect(fetchDataFromBFFSpy.mock.calls[0][0].pathname).toEqual(
+        'u50853489?renderer_env=live',
+      );
+    });
+
     it('Returns page data and status 404 for an invalid page', async () => {
       const errorMessage = 'Something went wrong!';
       const toggleResponse = {

diff --git a/ws-nextjs-app/utilities/pageRequests/getPageData.ts b/ws-nextjs-app/utilities/pageRequests/getPageData.ts
@@ -19,7 +19,11 @@ const getPageData = async ({
   resolvedUrl,
   pageType,
 }: PageDataParams) => {
-  const pathname = `${id}${rendererEnv ? `?renderer_env=${rendererEnv}` : ''}`;
+  const path = `${id}${rendererEnv ? `?renderer_env=${rendererEnv}` : ''}`;
+  const url = new URL(path, 'https://www.bbc.com');
+  const rendererEnvironment = url.searchParams.get('renderer_env');
+  const pathname = `${id}${rendererEnvironment ? `?renderer_env=${rendererEnvironment}` : ''}`;
+
   let message;
   let status;
   let json;