fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)

fix: resolve DOM Clobbering CVE-2024-43788
rollup · Sep 26, 2024 · 48aef33 · 48aef33
1 parent 69ff418
commit 48aef33
Show file tree

Hide file tree

Showing 47 changed files with 79 additions and 79 deletions.
diff --git a/src/ast/nodes/MetaProperty.ts b/src/ast/nodes/MetaProperty.ts
@@ -192,7 +192,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
 	getResolveUrl(
 		`'${relativePath}', ${
 			umd ? `typeof document === 'undefined' ? location.href : ` : ''
-		}document.currentScript && document.currentScript.src || document.baseURI`
+		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
 	);
 
 const getGenericImportMetaMechanism =
@@ -209,7 +209,7 @@ const getGenericImportMetaMechanism =
 const getUrlFromDocument = (chunkId: string, umd = false) =>
 	`${
 		umd ? `typeof document === 'undefined' ? location.href : ` : ''
-	}(document.currentScript && document.currentScript.src || new URL('${chunkId}', document.baseURI).href)`;
+	}(document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || new URL('${chunkId}', document.baseURI).href)`;
 
 const relativeUrlMechanisms: Record<InternalModuleFormat, (relativePath: string) => string> = {
 	amd: relativePath => {

diff --git a/test/chunking-form/samples/deprecated/configure-asset-url/_expected/cjs/main.js b/test/chunking-form/samples/deprecated/configure-asset-url/_expected/cjs/main.js
@@ -2,6 +2,6 @@
 
 var asset2 = 'resolved';
 
-var asset3 = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/asset-unresolved-8dcd7fca.txt').href : new URL('assets/asset-unresolved-8dcd7fca.txt', document.currentScript && document.currentScript.src || document.baseURI).href);
+var asset3 = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/asset-unresolved-8dcd7fca.txt').href : new URL('assets/asset-unresolved-8dcd7fca.txt', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 Promise.resolve().then(function () { return require('./nested/chunk.js'); }).then(result => console.log(result, asset2, asset3));
diff --git a/...ng-form/samples/deprecated/configure-file-url-for-assets-and-chunks/_expected/cjs/main.js b/...ng-form/samples/deprecated/configure-file-url-for-assets-and-chunks/_expected/cjs/main.js
@@ -3,7 +3,7 @@
 const asset$1 = 'resolved';
 const chunk$1 = 'resolved';
 
-const asset = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/asset-unresolved-8dcd7fca.txt').href : new URL('assets/asset-unresolved-8dcd7fca.txt', document.currentScript && document.currentScript.src || document.baseURI).href);
-const chunk = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/nested/chunk.js').href : new URL('nested/chunk.js', document.currentScript && document.currentScript.src || document.baseURI).href);
+const asset = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/asset-unresolved-8dcd7fca.txt').href : new URL('assets/asset-unresolved-8dcd7fca.txt', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
+const chunk = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/nested/chunk.js').href : new URL('nested/chunk.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 Promise.resolve().then(function () { return require('./nested/chunk2.js'); }).then(result => console.log(result, chunk$1, chunk, asset$1, asset));
diff --git a/test/chunking-form/samples/deprecated/emit-asset/_expected/cjs/main.js b/test/chunking-form/samples/deprecated/emit-asset/_expected/cjs/main.js
@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/logo1-a5ec488b.svg').href : new URL('assets/logo1-a5ec488b.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/logo1-a5ec488b.svg').href : new URL('assets/logo1-a5ec488b.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 function showImage(url) {
 	console.log(url);

diff --git a/test/chunking-form/samples/deprecated/emit-asset/_expected/cjs/nested/chunk.js b/test/chunking-form/samples/deprecated/emit-asset/_expected/cjs/nested/chunk.js
@@ -2,6 +2,6 @@
 
 var main = require('../main.js');
 
-var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/../assets/logo2-6d5979e4.svg').href : new URL('../assets/logo2-6d5979e4.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/../assets/logo2-6d5979e4.svg').href : new URL('../assets/logo2-6d5979e4.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 main.showImage(logo);
diff --git a/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/chunks/nested.js b/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/chunks/nested.js
@@ -1,7 +1,7 @@
 'use strict';
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

diff --git a/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js b/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js
@@ -1,3 +1,3 @@
 'use strict';
 
-PLACEHOLDER((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+PLACEHOLDER((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
diff --git a/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/main.js b/test/chunking-form/samples/deprecated/emit-chunk-worker/_expected/cjs/main.js
@@ -3,7 +3,7 @@
 var shared = require('./chunks/shared.js');
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

diff --git a/test/chunking-form/samples/deprecated/emit-chunk-worklet/_expected/cjs/main.js b/test/chunking-form/samples/deprecated/emit-chunk-worklet/_expected/cjs/main.js
@@ -2,6 +2,6 @@
 
 var shared = require('./chunks/shared.js');
 
-CSS.paintWorklet.addModule((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+CSS.paintWorklet.addModule((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 document.body.innerHTML += `<h1 style="background-image: paint(vertical-lines);">color: ${shared.color}, size: ${shared.size}</h1>`;
diff --git a/test/chunking-form/samples/emit-file/emit-chunk-with-importer/_expected/cjs/main.js b/test/chunking-form/samples/emit-file/emit-chunk-with-importer/_expected/cjs/main.js
diff --git a/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/nested.js b/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/nested.js
@@ -1,7 +1,7 @@
 'use strict';
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

diff --git a/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js b/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js
@@ -1,3 +1,3 @@
 'use strict';
 
-PLACEHOLDER((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+PLACEHOLDER((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
diff --git a/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/main.js b/test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/main.js
@@ -3,7 +3,7 @@
 var shared = require('./chunks/shared.js');
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

diff --git a/test/chunking-form/samples/emit-file/emit-chunk-worklet/_expected/cjs/main.js b/test/chunking-form/samples/emit-file/emit-chunk-worklet/_expected/cjs/main.js
@@ -2,6 +2,6 @@
 
 var shared = require('./chunks/shared.js');
 
-CSS.paintWorklet.addModule((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+CSS.paintWorklet.addModule((typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 document.body.innerHTML += `<h1 style="background-image: paint(vertical-lines);">color: ${shared.color}, size: ${shared.size}</h1>`;
diff --git a/test/chunking-form/samples/emit-file/reference-files/_expected/cjs/main.js b/test/chunking-form/samples/emit-file/reference-files/_expected/cjs/main.js
@@ -2,7 +2,7 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/logo1-a5ec488b.svg').href : new URL('assets/logo1-a5ec488b.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/assets/logo1-a5ec488b.svg').href : new URL('assets/logo1-a5ec488b.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 function showImage(url) {
 	console.log(url);

diff --git a/test/chunking-form/samples/emit-file/reference-files/_expected/cjs/nested/chunk.js b/test/chunking-form/samples/emit-file/reference-files/_expected/cjs/nested/chunk.js
@@ -2,6 +2,6 @@
 
 var main = require('../main.js');
 
-var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/../assets/logo2-6d5979e4.svg').href : new URL('../assets/logo2-6d5979e4.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __dirname + '/../assets/logo2-6d5979e4.svg').href : new URL('../assets/logo2-6d5979e4.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 main.showImage(logo);
diff --git a/test/chunking-form/samples/emit-file/set-asset-source/_expected/cjs/main.js b/test/chunking-form/samples/emit-file/set-asset-source/_expected/cjs/main.js
diff --git a/test/chunking-form/samples/import-meta-url/_expected/cjs/main.js b/test/chunking-form/samples/import-meta-url/_expected/cjs/main.js
@@ -10,7 +10,7 @@ function log(url) {
 	}
 }
 
-log('main: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.src || new URL('main.js', document.baseURI).href)));
+log('main: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || new URL('main.js', document.baseURI).href)));
 Promise.resolve().then(function () { return require('./nested/chunk.js'); });
 
 exports.log = log;
diff --git a/test/chunking-form/samples/import-meta-url/_expected/cjs/nested/chunk.js b/test/chunking-form/samples/import-meta-url/_expected/cjs/nested/chunk.js
@@ -2,4 +2,4 @@
 
 var main = require('../main.js');
 
-main.log('nested: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.src || new URL('nested/chunk.js', document.baseURI).href)));
+main.log('nested: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || new URL('nested/chunk.js', document.baseURI).href)));
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		var main = require('../main.js');

		main.log('nested: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.src \|\| new URL('nested/chunk.js', document.baseURI).href)));
		main.log('nested: ' + (typeof document === 'undefined' ? new (require('u' + 'rl').URL)('file:' + __filename).href : (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src \|\| new URL('nested/chunk.js', document.baseURI).href)));