Prevent management pages using "plugin" GOV.UK Frontend views

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Fixes
+
+- [#2355: Prevent management pages using "plugin" GOV.UK Frontend views](https://github.com/alphagov/govuk-prototype-kit/pull/2355)
+
 ## 13.13.4
 
 ### Fixes

lib/build.js

@@ -96,7 +96,7 @@ function sassKitFrontendDependency () {
   const govukFrontendInternal = govukFrontendPaths([packageDir, projectDir])
 
   // Get GOV.UK Frontend (internal) stylesheets
-  const govukFrontendSass = (govukFrontendInternal.config?.sass || [])
+  const govukFrontendSass = [govukFrontendInternal.config.sass].flat()
     .map(sassPath => path.join(govukFrontendInternal.baseDir, sassPath))
 
   const fileContents = sassVariables('/manage-prototype/dependencies') +

lib/errorServer.js

@@ -102,17 +102,13 @@ function runErrorServer (error) {
     res.setHeader('Content-Type', 'text/html')
     res.writeHead(500)
 
-    // Get GOV.UK Frontend (internal) views
-    const govukFrontendNunjucksPaths = (govukFrontendInternal.config?.nunjucksPaths || [])
-      .map(nunjucksPath => path.join(govukFrontendInternal.baseDir, nunjucksPath))
-
     const fileContentsParts = []
 
     try {
-      const nunjucksAppEnv = getNunjucksAppEnv([
-        path.join(__dirname, 'nunjucks'),
-        ...govukFrontendNunjucksPaths
-      ])
+      const nunjucksAppEnv = getNunjucksAppEnv(
+        [path.join(__dirname, 'nunjucks')],
+        govukFrontendInternal // Add GOV.UK Frontend paths to Nunjucks views
+      )
       res.end(nunjucksAppEnv.render('views/error-handling/server-error', {
         govukFrontendInternal, // Add GOV.UK Frontend paths to Nunjucks context
         ...getErrorModel(error)

lib/govukFrontendPaths.js

@@ -8,7 +8,7 @@ const fse = require('fs-extra')
  * Find GOV.UK Frontend via search paths
  *
  * @param {string[]} searchPaths - Search paths for `require.resolve()`
- * @returns {{ baseDir: string, includePath: string, assetPath: string, config: { [key: string]: unknown } }}
+ * @returns {GOVUKFrontendPaths}
  */
 function govukFrontendPaths (searchPaths = []) {
   /**
@@ -29,12 +29,23 @@ function govukFrontendPaths (searchPaths = []) {
     assetPath: `/${path.relative(baseDir, path.join(includeDir, 'assets'))}`,
 
     // GOV.UK Frontend plugin config
-    config: fse.readJsonSync(path.join(baseDir, 'govuk-prototype-kit.config.json'), {
-      throws: false
-    })
+    config: fse.readJsonSync(path.join(baseDir, 'govuk-prototype-kit.config.json'), { throws: false }) ?? {
+      nunjucksPaths: [],
+      sass: []
+    }
   }
 }
 
 module.exports = {
   govukFrontendPaths
 }
+
+/**
+ * GOV.UK Frontend paths object
+ *
+ * @typedef {object} GOVUKFrontendPaths
+ * @property {string} baseDir - GOV.UK Frontend directory path
+ * @property {URL["pathname"]} includePath - URL path to GOV.UK Frontend includes
+ * @property {URL["pathname"]} assetPath - URL path to GOV.UK Frontend assets
+ * @property {{ [key: string]: unknown }} config - GOV.UK Frontend plugin config
+ */

lib/manage-prototype-handlers.js

@@ -10,6 +10,7 @@ const { doubleCsrf } = require('csrf-csrf')
 const config = require('./config')
 const plugins = require('./plugins/plugins')
 const { exec } = require('./exec')
+const { govukFrontendPaths } = require('./govukFrontendPaths')
 const { prototypeAppScripts } = require('./utils')
 const { projectDir, packageDir, appViewsDir } = require('./utils/paths')
 const nunjucksConfiguration = require('./nunjucks/nunjucksConfiguration')
@@ -31,6 +32,13 @@ const appViews = plugins.getAppViews([
   path.join(packageDir, 'lib/final-backup-nunjucks')
 ])
 
+// Nunjucks environment for management pages skips `getAppViews()` to
+// avoid plugins but adds GOV.UK Frontend views via internal package
+const nunjucksManagementEnv = nunjucksConfiguration.getNunjucksAppEnv(
+  [path.join(__dirname, 'nunjucks')],
+  govukFrontendPaths([packageDir, projectDir])
+)
+
 let kitRestarted = false
 
 const {
@@ -83,19 +91,19 @@ function getCsrfTokenHandler (req, res) {
 
 // Clear all data in session
 function getClearDataHandler (req, res) {
-  res.render(getManagementView('clear-data.njk'))
+  res.send(nunjucksManagementEnv.render(getManagementView('clear-data.njk'), req.app.locals))
 }
 
 function postClearDataHandler (req, res) {
   req.session.data = {}
-  res.render(getManagementView('clear-data-success.njk'))
+  res.send(nunjucksManagementEnv.render(getManagementView('clear-data-success.njk')))
 }
 
 // Render password page with a returnURL to redirect people to where they came from
 function getPasswordHandler (req, res) {
   const returnURL = req.query.returnURL || '/'
   const error = req.query.error
-  res.render(getManagementView('password.njk'), { returnURL, error })
+  res.send(nunjucksManagementEnv.render(getManagementView('password.njk'), { ...req.app.locals, returnURL, error }))
 }
 
 // Check authentication password
@@ -125,7 +133,7 @@ function developmentOnlyMiddleware (req, res, next) {
   if (config.getConfig().isDevelopment || req.url.startsWith('/dependencies/govuk-frontend')) {
     next()
   } else {
-    res.render(getManagementView('manage-prototype-not-available.njk'))
+    res.send(nunjucksManagementEnv.render(getManagementView('manage-prototype-not-available.njk'), req.app.locals))
   }
 }
 
@@ -173,6 +181,7 @@ async function getHomeHandler (req, res) {
   const kitPackage = await lookupPackageInfo('govuk-prototype-kit')
 
   const viewData = {
+    ...req.app.locals,
     currentUrl: req.originalUrl,
     currentSection: pageName,
     links: managementLinks,
@@ -189,7 +198,7 @@ async function getHomeHandler (req, res) {
     ]
   }
 
-  res.render(getManagementView('index.njk'), viewData)
+  res.send(nunjucksManagementEnv.render(getManagementView('index.njk'), viewData))
 }
 
 function exampleTemplateConfig (packageName, { name, path }) {
@@ -242,12 +251,13 @@ async function getTemplatesHandler (req, res) {
     }
   }
 
-  res.render(getManagementView('templates.njk'), {
+  res.send(nunjucksManagementEnv.render(getManagementView('templates.njk'), {
+    ...req.app.locals,
     currentSection: pageName,
     links: managementLinks,
     availableTemplates,
     commonTemplatesDetails
-  })
+  }))
 }
 
 function locateTemplateConfig (req) {
@@ -279,6 +289,8 @@ function getTemplatesViewHandler (req, res) {
   }
   const templateConfig = locateTemplateConfig(req)
 
+  // Nunjucks environment for template previews uses `getAppViews()` to
+  // add plugins including GOV.UK Frontend views via project package
   const nunjucksAppEnv = nunjucksConfiguration.getNunjucksAppEnv(appViews)
 
   if (templateConfig) {
@@ -292,7 +304,8 @@ function getTemplatesInstallHandler (req, res) {
   const templateConfig = locateTemplateConfig(req)
 
   if (templateConfig) {
-    res.render(getManagementView('template-install.njk'), {
+    res.send(nunjucksManagementEnv.render(getManagementView('template-install.njk'), {
+      ...req.app.locals,
       currentSection: 'Templates',
       pageName: `Create new ${templateConfig.name}`,
       currentUrl: req.originalUrl,
@@ -307,7 +320,7 @@ function getTemplatesInstallHandler (req, res) {
         invalid: 'Path must not include !$&\'()*+,;=:?#[]@.% or space'
       })[req.query.errorType],
       chosenUrl: req.query['chosen-url']
-    })
+    }))
   } else {
     res.status(404).send('Template not found.')
   }
@@ -381,13 +394,14 @@ function getTemplatesPostInstallHandler (req, res) {
   const pageName = 'Page created'
   const chosenUrl = req.query['chosen-url']
 
-  res.render(getManagementView('template-post-install.njk'), {
+  res.send(nunjucksManagementEnv.render(getManagementView('template-post-install.njk'), {
+    ...req.app.locals,
     currentSection: 'Templates',
     pageName,
     links: managementLinks,
     url: chosenUrl,
     filePath: path.join('app', 'views', `${chosenUrl}.${getFileExtensionForNunjucksFiles()}`)
-  })
+  }))
 }
 
 function buildPluginData (pluginData) {
@@ -510,6 +524,7 @@ async function getPluginsHandler (req, res) {
   const foundMessage = found === 1 ? found + ' Plugin found' : found + ' Plugins found'
   const updatesMessage = updates ? updates === 1 ? updates + ' UPDATE AVAILABLE' : updates + ' UPDATES AVAILABLE' : ''
   const model = {
+    ...req.app.locals,
     currentSection: pageName,
     links: managementLinks,
     isInstalledPage,
@@ -520,7 +535,7 @@ async function getPluginsHandler (req, res) {
     foundMessage,
     status
   }
-  res.render(getManagementView('plugins.njk'), model)
+  res.send(nunjucksManagementEnv.render(getManagementView('plugins.njk'), model))
 }
 
 async function postPluginsHandler (req, res) {
@@ -615,7 +630,8 @@ async function getPluginsModeHandler (req, res) {
     dependencyHeading = `${fullPluginName} needs other plugins`
   }
 
-  res.render(getManagementView('plugin-install-or-uninstall.njk'), {
+  res.send(nunjucksManagementEnv.render(getManagementView('plugin-install-or-uninstall.njk'), {
+    ...req.app.locals,
     currentSection: 'Plugins',
     pageName,
     currentUrl: req.originalUrl,
@@ -627,7 +643,7 @@ async function getPluginsModeHandler (req, res) {
     verb,
     isSameOrigin,
     returnLink
-  })
+  }))
 }
 
 function setKitRestarted (state) {