security: fix DOM clobbering in auto public path

webpack · Aug 21, 2024 · 2411661 · 2411661
1 parent f46a03c
commit 2411661
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/lib/runtime/AutoPublicPathRuntimeModule.js b/lib/runtime/AutoPublicPathRuntimeModule.js
@@ -50,7 +50,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
 						`var document = ${RuntimeGlobals.global}.document;`,
 						"if (!scriptUrl && document) {",
 						Template.indent([
-							"if (document.currentScript)",
+							// Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+							// but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
+							// and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
+							"if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
 							Template.indent("scriptUrl = document.currentScript.src;"),
 							"if (!scriptUrl) {",
 							Template.indent([