BAU: Prevent evil domain substrings

Previously, if slc.co.uk were on the allowlist notslc.co.uk would also be permitted
govuk-one-login · Dec 18, 2024 · 73ccc6b · 73ccc6b
1 parent ed830c5
commit 73ccc6b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/express/src/lib/validators/allowed-email-domains.ts b/express/src/lib/validators/allowed-email-domains.ts
@@ -6,7 +6,7 @@ const allowedEmailDomains = loadAllowedEmailDomains();
 export default async function hasAllowedDomain(emailAddress: string): Promise<boolean> {
     const domains = await allowedEmailDomains;
     const emailDomain = getEmailDomain(emailAddress);
-    return domains.some(domain => emailDomain.endsWith(domain));
+    return domains.some(domain => emailDomain === domain || emailDomain.endsWith("." + domain));
 }
 
 function getEmailDomain(email: string) {

diff --git a/express/tests/lib/validators/allowed-email-domains.test.ts b/express/tests/lib/validators/allowed-email-domains.test.ts
@@ -18,10 +18,6 @@ describe("Verify email domains", () => {
         it("Allow an email address ending with a domain on the allowed list", async () => {
             expect(await hasAllowedDomain(`[email protected].${allowedDomain}`)).toBe(true);
         });
-
-        it("Allow an email address ending with a subdomain on the allowed list", async () => {
-            expect(await hasAllowedDomain(`[email protected]${allowedSubDomain}`)).toBe(true);
-        });
     });
 
     describe("Reject invalid domains", () => {
@@ -36,5 +32,9 @@ describe("Verify email domains", () => {
         it("Reject an email address not ending with a subdomain on the allowed list", async () => {
             expect(await hasAllowedDomain(`[email protected].${allowedSubDomain}.subdomain`)).toBe(false);
         });
+
+        it("Rejects an email address where the allowed domain is a substring but not a subdomain", async () => {
+            expect(await hasAllowedDomain(`[email protected]${allowedSubDomain}`)).toBe(false);
+        });
     });
 });
diff --git a/express/tests/lib/validators/email-validator.test.ts b/express/tests/lib/validators/email-validator.test.ts
@@ -2,7 +2,7 @@ import validateEmail from "../../../src/lib/validators/email-validator";
 
 jest.mock("fs/promises", () => {
     return {
-        readFile: jest.fn(() => `allowed.domain\n.gov.uk`)
+        readFile: jest.fn(() => `allowed.domain\ngov.uk`)
     };
 });