LIME-1114-fix added sessionID validation UUID check

govuk-one-login · Sep 26, 2024 · 304c5f0 · 304c5f0
1 parent 817995d
commit 304c5f0
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 1 deletion.
diff --git a/.../src/main/java/uk/gov/di/ipv/cri/passport/checkpassport/handler/CheckPassportHandler.java b/.../src/main/java/uk/gov/di/ipv/cri/passport/checkpassport/handler/CheckPassportHandler.java
@@ -45,6 +45,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import static uk.gov.di.ipv.cri.common.library.error.ErrorResponse.SESSION_EXPIRED;
 import static uk.gov.di.ipv.cri.common.library.error.ErrorResponse.SESSION_NOT_FOUND;
@@ -174,7 +175,7 @@ public APIGatewayProxyResponseEvent handleRequest(
             Map<String, String> requestHeaders = input.getHeaders();
             String sessionId = requestHeaders.get("session_id");
 
-            if (sessionId == null) {
+            if (sessionId == null || sessionIdIsNotUUID(sessionId)) {
                 throw new SessionNotFoundException("Session ID not found in headers");
             }
 
@@ -313,6 +314,13 @@ public APIGatewayProxyResponseEvent handleRequest(
         }
     }
 
+    public boolean sessionIdIsNotUUID(String sessionId) {
+        Pattern uuidRegex =
+                Pattern.compile(
+                        "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$");
+        return !uuidRegex.matcher(sessionId).matches();
+    }
+
     private boolean determineVerificationRetryStatus(
             SessionItem sessionItem,
             DocumentDataVerificationResult documentDataVerificationResult,

diff --git a/.../test/java/uk/gov/di/ipv/cri/passport/checkpassport/handler/CheckPassportHandlerTest.java b/.../test/java/uk/gov/di/ipv/cri/passport/checkpassport/handler/CheckPassportHandlerTest.java
@@ -611,6 +611,43 @@ void handleResponseShouldThrowExceptionWhenSessionIdMissing() throws JsonProcess
                 oauthErrorNode.get("error_description").textValue()); // error description
     }
 
+    @Test
+    void handleResponseShouldThrowExceptionWhenSessionIdIsInvalidUUID()
+            throws JsonProcessingException {
+        APIGatewayProxyRequestEvent mockRequestEvent =
+                Mockito.mock(APIGatewayProxyRequestEvent.class);
+
+        Map<String, String> headers = new HashMap<>();
+        headers.put("session_id", "invalid");
+
+        when(mockRequestEvent.getHeaders()).thenReturn(headers);
+
+        APIGatewayProxyResponseEvent responseEvent =
+                checkPassportHandler.handleRequest(mockRequestEvent, mockLambdaContext);
+
+        JsonNode responseTreeRootNode = new ObjectMapper().readTree(responseEvent.getBody());
+        JsonNode oauthErrorNode = responseTreeRootNode.get("oauth_error");
+
+        CommonExpressOAuthError expectedObject =
+                new CommonExpressOAuthError(
+                        OAuth2Error.ACCESS_DENIED, SESSION_NOT_FOUND.getMessage());
+
+        assertNotNull(responseEvent);
+        assertNotNull(responseTreeRootNode);
+        assertNotNull(oauthErrorNode);
+        assertEquals(HttpStatusCode.FORBIDDEN, responseEvent.getStatusCode());
+
+        assertEquals(
+                "oauth_error",
+                responseTreeRootNode.fieldNames().next().toString()); // Root Node Name
+        assertEquals(
+                expectedObject.getError().get("error"),
+                oauthErrorNode.get("error").textValue()); // error
+        assertEquals(
+                expectedObject.getError().get("error_description"),
+                oauthErrorNode.get("error_description").textValue()); // error description
+    }
+
     private void mockServiceFactoryBehaviour() {
         when(mockServiceFactory.getObjectMapper()).thenReturn(realObjectMapper);
         when(mockServiceFactory.getEventProbe()).thenReturn(mockEventProbe);