Merge pull request #795 from companieshouse/sec-113-implement-csrf-to…

…kens-on-forms SEC-113 Implement csrf token on forms where data is submitted
companieshouse · Oct 21, 2024 · 0760097 · 0760097
2 parents 4b5d21a + 845f5b7
commit 0760097
Show file tree

Hide file tree

Showing 25 changed files with 31 additions and 16 deletions.
diff --git a/src/app.ts b/src/app.ts
@@ -69,7 +69,7 @@ const sessionStore = new SessionStore(new Redis(`redis://${CACHE_SERVER}`));
 
 const csrfProtectionMiddleware = CsrfProtectionMiddleware({
   sessionStore,
-  enabled: false,
+  enabled: true,
   sessionCookieName: COOKIE_NAME
 });
 app.use(csrfProtectionMiddleware);

diff --git a/views/check-trading-status.html b/views/check-trading-status.html
@@ -16,7 +16,7 @@
     <div class="govuk-grid-column-two-thirds">
 
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% if tradingStatusErrorMsg %}
           {{ govukErrorSummary({
             titleText: "There is a problem",

diff --git a/views/confirm-company.html b/views/confirm-company.html
@@ -16,7 +16,7 @@
       <h1 class="govuk-heading-xl">Confirm this is the correct company</h1>
       <h2 class="govuk-heading-l">{{company.companyName}}</h2>
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% set notDueWarningHTML %}
         <p style="font-weight: 400; display: inline;">
           You are not due to file a confirmation statement. If you file a confirmation statement today, it will show the date as

diff --git a/views/includes/csrf_token.html b/views/includes/csrf_token.html
@@ -0,0 +1,7 @@
+
+{% from "web-security-node/components/csrf-token-input/macro.njk" import csrfTokenInput %}
+{{
+    csrfTokenInput({
+        csrfToken: csrfToken
+    })
+}}
diff --git a/views/incorrect-information/wrong-officers.html b/views/incorrect-information/wrong-officers.html
@@ -12,7 +12,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% include "includes/error-alert-message.html" %}
         {% if errorMsgText %}
           {% set officersErrorMsg = {

diff --git a/views/incorrect-information/wrong-psc-details.html b/views/incorrect-information/wrong-psc-details.html
@@ -12,7 +12,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% include "includes/error-alert-message.html" %}
         {% if errorMsgText %}
           {% set pscErrorMsg = {

diff --git a/views/incorrect-information/wrong-registered-office-address.html b/views/incorrect-information/wrong-registered-office-address.html
@@ -12,7 +12,7 @@
 <div class="govuk-grid-row">
   <div class="govuk-grid-column-two-thirds">
     <form action="" method="post">
-
+      {% include "includes/csrf_token.html" %}
       {% include "includes/error-alert-message.html" %}
       {% if errorMsgText %}
           {% set roErrorMsg = {

diff --git a/views/incorrect-information/wrong-registers.html b/views/incorrect-information/wrong-registers.html
@@ -12,7 +12,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% include "includes/error-alert-message.html" %}
         {% if errorMsgText %}
           {% set registerErrorMsg = {

diff --git a/views/incorrect-information/wrong-shareholders.html b/views/incorrect-information/wrong-shareholders.html
@@ -10,6 +10,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
+        {% include "includes/csrf_token.html" %}
         <h1 class="govuk-heading-xl">
           You cannot use this service
         </h1>

diff --git a/views/incorrect-information/wrong-sic.html b/views/incorrect-information/wrong-sic.html
@@ -10,6 +10,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
+        {% include "includes/csrf_token.html" %}
         <h1 class="govuk-heading-xl">
           You cannot use this service
         </h1>

diff --git a/views/incorrect-information/wrong-statement-of-capital.html b/views/incorrect-information/wrong-statement-of-capital.html
@@ -12,6 +12,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
+        {% include "includes/csrf_token.html" %}
         <h1 class="govuk-heading-xl">
           You cannot use this service
         </h1>

diff --git a/views/review.html b/views/review.html
@@ -21,6 +21,7 @@ <h2 class="govuk-heading-m">
       Company number: {{company.companyNumber}}<br>
       Confirmation statement date: {{nextMadeUpToDate}}</h2>
     <form action="" method="post">
+      {% include "includes/csrf_token.html" %}
       {% if ecctEnabled %}
         {% if confirmationStatementError or lawfulActivityStatementError %}
 

diff --git a/views/tasks/active-officers-details.html b/views/tasks/active-officers-details.html
@@ -32,6 +32,7 @@
       {% set activeOfficersError = false %}
     {% endif %}
     <form action="" method="post">
+      {% include "includes/csrf_token.html" %}
       <h1 class="govuk-heading-l">Check the officers' details</h1>
 
       {% set naturalSecretaryHTML %}

diff --git a/views/tasks/active-officers.html b/views/tasks/active-officers.html
@@ -14,6 +14,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-three-quarters">
       <form action="" method="post">
+        {% include "includes/csrf_token.html" %}
         {% if officerErrorMsg %}
           {{ govukErrorSummary({
             titleText: "There is a problem",

diff --git a/views/tasks/active-psc-details.html b/views/tasks/active-psc-details.html
@@ -29,6 +29,7 @@
         {% set activePscsError = false %}
       {% endif %}
       <form action="" method="post">
+        {% include "includes/csrf_token.html" %}
         <h1 class="govuk-heading-l">Check the people with significant control (PSCs) details</h1>
 
         {% include "includes/psc-details.html" %}

diff --git a/views/tasks/check-email-address.html b/views/tasks/check-email-address.html
@@ -12,7 +12,7 @@
 <div class="govuk-grid-row">
   <div class="govuk-grid-column-two-thirds">
     <form action="" method="post">
-
+      {% include "includes/csrf_token.html" %}
       {% if checkEmailErrorMsg %}
             {{ govukErrorSummary({
                 titleText: "There is a problem",

diff --git a/views/tasks/confirm-email-address.html b/views/tasks/confirm-email-address.html
@@ -13,6 +13,7 @@
 
 <div class="govuk-grid-column">
     <form action="" method="post">
+      {% include "includes/csrf_token.html" %}
       <h1 class="govuk-heading-l">Check the email address</h1>
         <dl>
           <dt class="govuk-summary-list__key">Email address</dt>

diff --git a/views/tasks/people-with-significant-control.html b/views/tasks/people-with-significant-control.html
@@ -17,7 +17,7 @@
     <div class="govuk-grid-column-three-quarters">
 
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% if peopleWithSignificantControlErrorMsg %}
           {{ govukErrorSummary({
             titleText: "There is a problem",

diff --git a/views/tasks/provide-email-address.html b/views/tasks/provide-email-address.html
@@ -12,7 +12,7 @@
 <div class="govuk-grid-row">
   <div class="govuk-grid-column-two-thirds">
     <form action="" method="post">
-
+      {% include "includes/csrf_token.html" %}
       {% if emailErrorMsg %}
             {{ govukErrorSummary({
                 titleText: "There is a problem",

diff --git a/views/tasks/psc-statement.html b/views/tasks/psc-statement.html
@@ -15,7 +15,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% if pscStatementControlErrorMsg %}
           {{ govukErrorSummary({
             titleText: "There is a problem",

diff --git a/views/tasks/register-locations.html b/views/tasks/register-locations.html
@@ -12,7 +12,7 @@
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% if registerLocationsErrorMsg %}
           {{ govukErrorSummary({
               titleText: "There is a problem",

diff --git a/views/tasks/registered-office-address.html b/views/tasks/registered-office-address.html
@@ -12,7 +12,7 @@
 <div class="govuk-grid-row">
   <div class="govuk-grid-column-two-thirds">
     <form action="" method="post">
-
+      {% include "includes/csrf_token.html" %}
       {% if roaErrorMsg %}
             {{ govukErrorSummary({
                 titleText: "There is a problem",

diff --git a/views/tasks/shareholders.html b/views/tasks/shareholders.html
@@ -13,7 +13,7 @@
     <div class="govuk-grid-column-two-thirds">
 
       <form action="" method="post">
-
+        {% include "includes/csrf_token.html" %}
         {% if shareholdersErrorMsg %}
             {{ govukErrorSummary({
                 titleText: "There is a problem",

diff --git a/views/tasks/sic.html b/views/tasks/sic.html
@@ -15,7 +15,7 @@
     <div class="govuk-grid-column-two-thirds">
 
       <form action="" method="post">
-
+      {% include "includes/csrf_token.html" %}
       {% if sicCodeErrorMsg %}
         {{ govukErrorSummary({
           titleText: "There is a problem",

diff --git a/views/tasks/statement-of-capital.html b/views/tasks/statement-of-capital.html
@@ -15,7 +15,7 @@
     <div class="govuk-grid-column-two-thirds">
 
         <form action="" method="post">
-
+            {% include "includes/csrf_token.html" %}
             {% if statementOfCapitalErrorMsg %}
               {{ govukErrorSummary({
                 titleText: "There is a problem",