uktrade · currycoder · Dec 13, 2024 · Nov 29, 2024 · Dec 2, 2024 · Dec 2, 2024
diff --git a/core/helpers.py b/core/helpers.py
@@ -1,11 +1,13 @@
 from urllib.parse import urlencode
-from django.http import (
-    Http404,
-    StreamingHttpResponse,
-)
+from django.http import StreamingHttpResponse
+from django.core.exceptions import SuspiciousOperation
 from django.utils.http import url_has_allowed_host_and_scheme
 
 
+class UnsafeURLDestination(SuspiciousOperation):
+    pass
+
+
 def dummy_quote(string, safe="", encoding=None, errors=None):
     return string
 
@@ -59,7 +61,7 @@ def check_url(request, url):
     if url_is_safe:
         return url
     else:
-        raise Http404
+        raise UnsafeURLDestination(f"URL destination '{url}' was deemed to be unsafe")
 
 
 def stream_document_response(api_response):

diff --git a/exporter/core/organisation/constants.py b/exporter/core/organisation/constants.py
@@ -14,7 +14,7 @@ class Validation:
     UK_VAT_VALIDATION_REGEX = r"^(GB|XI)?([0-9]{9}([0-9]{3})?|(GD|HA)[0-9]{3})$"
     UK_EORI_STARTING_LETTERS_REGEX = r"^(GB|XI)"
     SIC_NUMBERs_ONLY_REGEX = r"^\d+$"
-    REGISTRATION_NUM_VALIDATION_REGEX = r"^(RC\d+|\d+)$"
+    REGISTRATION_NUM_VALIDATION_REGEX = r"^((RC|NI)\d{6}|\d{8})$"
 
     ADDRESS_LINE_MAX_LENGTH = 35
     UK_EORI_MAX_LENGTH = 17

diff --git a/lite_forms/views.py b/lite_forms/views.py
@@ -20,6 +20,8 @@
     validate_data_unknown,
 )
 from lite_forms.submitters import submit_paged_form
+from core.helpers import check_url
+
 
 ACTION = "_action"
 VALIDATE_ONLY = "validate_only"
@@ -188,9 +190,6 @@
         self.init(request, **kwargs)
         submission = self.on_submission(request, **kwargs)  # noqa
 
-        if submission:
-            return redirect(submission)
-
         response, data = submit_paged_form(
             request,
             self.get_forms(),
@@ -340,7 +339,8 @@
         if self.validate_only_until_final_submission:
             return self.generate_summary_list()
 
-        return redirect(request.path)
+        sanitised_url = check_url(request, request.path)
+        return redirect(sanitised_url)
 
     def post(self, request, **kwargs):
         return self._post(request, **kwargs)
@@ -403,7 +403,9 @@
         if self.validate_only_until_final_submission:
             return self.generate_summary_list()
 
-        return redirect(request.path)
+        sanitised_url = check_url(request, request.path)
+
+        return redirect(sanitised_url)
 
     def dispatch(self, request, *args, **kwargs):
         if request.method.lower() in self.http_method_names:

diff --git a/unit_tests/core/test_helpers.py b/unit_tests/core/test_helpers.py
@@ -1,6 +1,5 @@
 import pytest
-from django.http import Http404
-from core.helpers import convert_parameters_to_query_params, check_url
+from core.helpers import convert_parameters_to_query_params, check_url, UnsafeURLDestination
 
 
 @pytest.fixture
@@ -15,13 +14,13 @@ def test_convert_parameters_to_query_params():
     assert convert_parameters_to_query_params(params) == "?org_type=individual&org_type=commercial&page=1"
 
 
-@pytest.mark.parametrize("url", ["/next-url/", "http://testserver/next-url/"])
+@pytest.mark.parametrize("url", ["/next-url/", "http://testserver/next-url/", "\\valid\path"])
 def test_check_url(mock_request, url):
     assert check_url(mock_request, url) == url
 
 
 # Check not valid host and non secure url
-@pytest.mark.parametrize("url", ["http://not-the-same.com/next/", "https://test-server/next/"])
+@pytest.mark.parametrize("url", ["http://not-the-same.com/next/", "https://test-server/next/", "https:/malicious.com"])
 def test_check_url_not_allowed(mock_request, url):
-    with pytest.raises(Http404):
+    with pytest.raises(UnsafeURLDestination):
         check_url(mock_request, url)
diff --git a/unit_tests/exporter/applications/views/test_end_use_details.py b/unit_tests/exporter/applications/views/test_end_use_details.py
@@ -33,3 +33,28 @@ def test_application_end_use_summary(
         response.context["instruction_text"]
         == "Review your answers below and make any amends you need to. Click 'Save and continue' to save your progress."
     )
+
+
+def test_application_end_use_summary_post_url_has_allowed_host_and_scheme(
+    authorized_client, mock_application_get, application_end_use_summary_url, application_task_list_url
+):
+    response = authorized_client.post(
+        application_end_use_summary_url,
+        data={
+            "_action": "submit",
+        },
+    )
+    assert response.status_code == 302
+
+
+def test_application_end_use_summary_get_next_form_url_has_allowed_host_and_scheme(
+    authorized_client, mock_application_get, application_end_use_summary_url, application_task_list_url
+):
+    response = authorized_client.post(
+        application_end_use_summary_url,
+        data={
+            "_action": "finish",
+            "form_pk": "1",
+        },
+    )
+    assert response.status_code == 302
diff --git a/unit_tests/exporter/core/organisation/test_forms.py b/unit_tests/exporter/core/organisation/test_forms.py
@@ -161,7 +161,10 @@ def test_register_details_form_required_fields(
                     "Enter a SIC code that is 5 numbers long, like 12345",
                     "SIC code can only include numbers",
                 ],
-                "registration_number": ["The CRN or RC number is too long"],
+                "registration_number": [
+                    "The CRN or RC number is too long",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
             forms.RegisterDetailsCommercialOverseasForm,
         ),
@@ -177,7 +180,10 @@ def test_register_details_form_required_fields(
             {
                 "sic_number": ["Enter a SIC code that is 5 numbers long, like 12345"],
                 "vat_number": ["UK VAT number is too long", "Enter a UK VAT number in the correct format"],
-                "registration_number": ["The CRN or RC number is too long"],
+                "registration_number": [
+                    "The CRN or RC number is too long",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
             forms.RegisterDetailsCommercialUKForm,
         ),
@@ -200,7 +206,10 @@ def test_register_details_form_required_fields(
                     "UK VAT number can only include numbers and letters",
                     "Enter a UK VAT number in the correct format",
                 ],
-                "registration_number": ["The CRN or RC number is too long"],
+                "registration_number": [
+                    "The CRN or RC number is too long",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
             forms.RegisterDetailsCommercialUKForm,
         ),
@@ -223,7 +232,10 @@ def test_register_details_form_required_fields(
                     "UK VAT number can only include numbers and letters",
                     "Enter a UK VAT number in the correct format",
                 ],
-                "registration_number": ["The CRN or RC number is too long"],
+                "registration_number": [
+                    "The CRN or RC number is too long",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
             forms.RegisterDetailsCommercialUKForm,
         ),
@@ -311,7 +323,10 @@ def test_register_details_form_field_validation(
             },
             False,
             {
-                "registration_number": ["The CRN or RC number is too long"],
+                "registration_number": [
+                    "The CRN or RC number is too long",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
         ),
         (
@@ -320,7 +335,10 @@ def test_register_details_form_field_validation(
             },
             False,
             {
-                "registration_number": ["The CRN or RC number is too short"],
+                "registration_number": [
+                    "The CRN or RC number is too short",
+                    "Enter a CRN or RC number in the correct format",
+                ],
             },
         ),
         (
@@ -350,7 +368,7 @@ def test_register_details_form_field_validation(
         ),
         (
             {
-                "registration_number": "FF123456",
+                "registration_number": "123456RC",
             },
             False,
             {
@@ -359,7 +377,7 @@ def test_register_details_form_field_validation(
         ),
         (
             {
-                "registration_number": "123456RC",
+                "registration_number": "ABC12345",
             },
             False,
             {
@@ -368,14 +386,39 @@ def test_register_details_form_field_validation(
         ),
         (
             {
-                "registration_number": "RC123456",
+                "registration_number": "A1234567",
+            },
+            False,
+            {
+                "registration_number": ["Enter a CRN or RC number in the correct format"],
+            },
+        ),
+        (
+            {
+                "registration_number": "SO123456",
+            },
+            False,
+            {
+                "registration_number": ["Enter a CRN or RC number in the correct format"],
+            },
+        ),
+        (
+            {
+                "registration_number": "12345678",
             },
             True,
             None,
         ),
         (
             {
-                "registration_number": "12345678",
+                "registration_number": "NI123456",
+            },
+            True,
+            None,
+        ),
+        (
+            {
+                "registration_number": "RC123456",
             },
             True,
             None,