Merge pull request #2666 from alphagov/fix-redirect-validation

Allow external redirects without a subdomain

Author: brucebolt

app/validators/routes_and_redirects_validator.rb

@@ -1,13 +1,13 @@
 class RoutesAndRedirectsValidator < ActiveModel::Validator
   EXTERNAL_HOST_ALLOW_LIST = %w[
-    .caa.co.uk
-    .gov.uk
-    .judiciary.uk
-    .moneyhelper.org.uk
-    .nationalhighways.co.uk
-    .nhs.uk
-    .police.uk
-    .ukri.org
+    caa.co.uk
+    gov.uk
+    judiciary.uk
+    moneyhelper.org.uk
+    nationalhighways.co.uk
+    nhs.uk
+    police.uk
+    ukri.org
   ].freeze
 
   def validate(record, base_path: nil)
@@ -176,7 +176,10 @@ def internal?(destination)
     end
 
     def government_domain?(host)
-      host.end_with?(*EXTERNAL_HOST_ALLOW_LIST)
+      return true if EXTERNAL_HOST_ALLOW_LIST.include?(host)
+
+      host_allow_list_for_subdomains = EXTERNAL_HOST_ALLOW_LIST.map { |allowed_host| ".#{allowed_host}" }
+      host.end_with?(*host_allow_list_for_subdomains)
     end
 
     def invalid_destination?(destination)

spec/support/routes_and_redirects_validator.rb

@@ -226,6 +226,7 @@
           http://new-vat-rates.campaignjservicepgov.uk/path/to/your/new/vat-rates
           https://fakesite.net/.new-vat-rates.campaign.gov.uk/path/to/your/new/vat-rates
           ftp://new-vat-rates.campaign.gov.uk/
+          https://evilgov.uk/
         ].each do |destination|
           edition.redirects = [{ path: "#{subject.base_path}/foo", type: "exact", destination: }]
 
@@ -244,6 +245,7 @@
           https://etl.beis.gov.uk/
           https://www.nhs.uk/
           https://www.ukri.org/
+          https://nationalhighways.co.uk/
           https://www.nationalhighways.co.uk/
           https://www.police.uk/
         ].each do |destination|