fix: sha hash for CSP policy not being generated dynamically

Author: paddy-hmcts

src/main/assets/js/postcode-lookup.ts

@@ -89,11 +89,12 @@ export function initPostcodeLookup(): void {
       { field: country, value: selected.dataset.country },
     ];
 
-    fieldMappings.forEach(({ field, value }) => {
+    for (let i = 0; i < fieldMappings.length; i++) {
+      const { field, value } = fieldMappings[i];
       if (field) {
         field.value = value || '';
       }
-    });
+    }
 
     addressLine1?.focus();
   };
@@ -194,7 +195,8 @@ export function initPostcodeLookup(): void {
     return;
   }
 
-  containers.forEach(container => {
+  for (let i = 0; i < containers.length; i++) {
+    const container = containers[i];
     const { postcodeInput, findBtn, select, selectContainer } = getParts(container);
     if (!postcodeInput || !findBtn || !select) {
       return;
@@ -210,5 +212,5 @@ export function initPostcodeLookup(): void {
       }
       await performPostcodeLookup(value, select, selectContainer, findBtn);
     });
-  });
+  }
 }

src/main/assets/js/postcode-select.ts

@@ -5,11 +5,11 @@ export function initPostcodeSelection(): void {
   // Be robust to environments that cannot safely stub window.location
   let href = '';
   // Prefer explicit test hook when present
-  if ((window as { __testHref?: string }).__testHref) {
-    href = (window as { __testHref?: string }).__testHref as string;
+  if ((globalThis as { __testHref?: string }).__testHref) {
+    href = (globalThis as { __testHref?: string }).__testHref as string;
   } else {
     try {
-      href = (window as { location?: { href?: string } })?.location?.href || '';
+      href = (globalThis as { location?: { href?: string } })?.location?.href || '';
     } catch {
       href = '';
     }

src/main/modules/helmet/scriptHashes.ts

@@ -1,35 +1,44 @@
+import { createHash } from 'crypto';
 import { readFileSync } from 'fs';
-import * as path from 'path';
 
-const DEFAULT_MANIFEST_PATH = path.resolve(__dirname, '..', '..', 'public', 'csp-script-hashes.json');
-const GOVUK_TEMPLATE_SCRIPT_HASH = "'sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw='";
+const GOVUK_TEMPLATE_PATH = require.resolve('govuk-frontend/dist/govuk/template.njk');
+const SCRIPT_TAG_REGEX = /<script\b[^>]*>([\s\S]*?)<\/script>/gi;
 
-function readManifest(manifestPath: string): string[] {
-  try {
-    const content = readFileSync(manifestPath, 'utf8');
-    const parsed = JSON.parse(content);
-    if (!parsed || !Array.isArray(parsed.scriptHashes)) {
-      return [];
-    }
+function computeHash(input: string): string {
+  return `'sha256-${createHash('sha256').update(input, 'utf8').digest('base64')}'`;
+}
+
+function extractInlineScriptContent(template: string): string[] {
+  const scripts: string[] = [];
+  let match: RegExpExecArray | null;
 
-    return parsed.scriptHashes.filter(
-      (hash: unknown): hash is string => typeof hash === 'string' && hash.startsWith("'sha256-")
-    );
-  } catch (error: unknown) {
-    // eslint-disable-next-line no-console
-    console.error('Error reading manifest file:', error);
-    return [];
+  while ((match = SCRIPT_TAG_REGEX.exec(template)) !== null) {
+    const content = match[1];
+    if (content && content.trim().length > 0) {
+      scripts.push(content);
+    }
   }
+
+  return scripts;
 }
 
-function buildInlineScriptHashes(manifestPath: string): string[] {
-  const hashes = new Set<string>([GOVUK_TEMPLATE_SCRIPT_HASH]);
-  for (const hash of readManifest(manifestPath)) {
-    hashes.add(hash);
+export function getInlineScriptHashes(): string[] {
+  const templateContent = readFileSync(GOVUK_TEMPLATE_PATH, 'utf8');
+  const inlineScripts = extractInlineScriptContent(templateContent);
+  const hashes = new Set<string>();
+
+  inlineScripts.forEach(script => hashes.add(computeHash(script)));
+
+  if (hashes.size === 0) {
+    throw new Error(`No inline scripts found in GOV.UK template at ${GOVUK_TEMPLATE_PATH}`);
   }
+
   return Array.from(hashes);
 }
 
-export function getInlineScriptHashes(): string[] {
-  return buildInlineScriptHashes(DEFAULT_MANIFEST_PATH);
-}
+// Exported for testing
+export const __testUtils = {
+  computeHash,
+  extractInlineScriptContent,
+  GOVUK_TEMPLATE_PATH,
+};

src/test/unit/modules/helmet/scriptHashes.test.ts

@@ -1,45 +1,46 @@
-import { existsSync, unlinkSync, writeFileSync } from 'fs';
-import * as path from 'path';
+import { readFileSync } from 'fs';
 
-const modulePath = '../../../../main/modules/helmet/scriptHashes';
-const manifestPath = path.resolve(__dirname, '../../../../main/public/csp-script-hashes.json');
+import { __testUtils, getInlineScriptHashes } from '../../../../main/modules/helmet/scriptHashes';
 
 describe('getInlineScriptHashes', () => {
-  beforeEach(() => {
-    jest.resetModules();
-    if (existsSync(manifestPath)) {
-      unlinkSync(manifestPath);
-    }
+  it('returns hashes for all inline scripts in the GOV.UK template', () => {
+    const template = readFileSync(__testUtils.GOVUK_TEMPLATE_PATH, 'utf8');
+    const inlineScripts = __testUtils.extractInlineScriptContent(template);
+    const hashes = getInlineScriptHashes();
+
+    expect(inlineScripts.length).toBeGreaterThan(0);
+    inlineScripts.forEach(script => {
+      const expected = __testUtils.computeHash(script);
+      expect(hashes).toContain(expected);
+    });
   });
 
-  afterAll(() => {
-    if (existsSync(manifestPath)) {
-      unlinkSync(manifestPath);
-    }
-  });
-
-  it('includes hashes from the webpack manifest and the GOV.UK template hash', () => {
-    writeFileSync(manifestPath, JSON.stringify({ scriptHashes: ["'sha256-inline-from-manifest'"] }), 'utf8');
-
-    const { getInlineScriptHashes } = require(modulePath);
+  it('produces values suitable for CSP script-src', () => {
+    const hashes = getInlineScriptHashes();
 
-    expect(getInlineScriptHashes()).toEqual([
-      "'sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw='",
-      "'sha256-inline-from-manifest'",
-    ]);
+    hashes.forEach(hash => {
+      expect(hash.startsWith("'sha256-")).toBe(true);
+      expect(hash.endsWith("'")).toBe(true);
+      expect(hash.length).toBeGreaterThan("'sha256-".length + 1);
+    });
   });
+});
 
-  it('returns only the GOV.UK template hash when the manifest is missing', () => {
-    const { getInlineScriptHashes } = require(modulePath);
-
-    expect(getInlineScriptHashes()).toEqual(["'sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw='"]);
-  });
-
-  it('ignores malformed manifest content', () => {
-    writeFileSync(manifestPath, JSON.stringify({ scriptHashes: 'not-an-array' }), 'utf8');
-
-    const { getInlineScriptHashes } = require(modulePath);
-
-    expect(getInlineScriptHashes()).toEqual(["'sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw='"]);
+describe('extractInlineScriptContent', () => {
+  it('captures inline script bodies from a template string', () => {
+    const scripts = __testUtils.extractInlineScriptContent(`
+      <html>
+        <head></head>
+        <body>
+          <script>console.log('alpha');</script>
+          <script type="text/javascript">
+            window.test = true;
+          </script>
+          <script src="/bundle.js"></script>
+        </body>
+      </html>
+    `);
+
+    expect(scripts).toEqual(["console.log('alpha');", '\n            window.test = true;\n          ']);
   });
 });

webpack.config.js

@@ -5,7 +5,6 @@ const sourcePath = path.resolve(__dirname, 'src/main/assets/js');
 const govukFrontend = require(path.resolve(__dirname, 'webpack/govukFrontend'));
 const scss = require(path.resolve(__dirname, 'webpack/scss'));
 const HtmlWebpack = require(path.resolve(__dirname, 'webpack/htmlWebpack'));
-const CspHashPlugin = require(path.resolve(__dirname, 'webpack/cspHashPlugin'));
 
 const locales = path.resolve(__dirname, 'src/main/assets/locales');
 
@@ -18,7 +17,6 @@ module.exports = {
     ...govukFrontend.plugins,
     ...scss.plugins,
     ...HtmlWebpack.plugins,
-    new CspHashPlugin(),
     new CopyWebpackPlugin({
       patterns: [{ from: locales, to: 'locales' }],
     }),