Skip to content

Commit

Permalink
Merge pull request #696 from CloudCannon/fix/dom-clobber
Browse files Browse the repository at this point in the history
Add safety checks around accesses for `document.currentScript.src`
  • Loading branch information
bglw authored Sep 3, 2024
2 parents 012ac7e + 9528ef5 commit 14ec968
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 13 deletions.
16 changes: 13 additions & 3 deletions pagefind_ui/default/svelte/ui.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -99,11 +99,21 @@
[
`Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
`You can configure this by passing a bundlePath option to PagefindUI`,
`[DEBUG: Loaded from ${
document?.currentScript?.src ?? "no known script location"
}]`,
].join("\n")
);
// Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
if (
document?.currentScript &&
document.currentScript.tagName.toUpperCase() === "SCRIPT"
) {
console.error(
`[DEBUG: Loaded from ${
document.currentScript.src ?? "bad script location"
}]`
);
} else {
console.error("no known script location");
}
}
if (!excerpt_length) {
Expand Down
9 changes: 6 additions & 3 deletions pagefind_ui/default/ui-core.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,12 @@ import PagefindSvelte from "./svelte/ui.svelte";

let scriptBundlePath;
try {
scriptBundlePath = new URL(document.currentScript.src).pathname.match(
/^(.*\/)(?:pagefind-)?ui.js.*$/
)[1];
// Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
scriptBundlePath = new URL(document.currentScript.src).pathname.match(
/^(.*\/)(?:pagefind-)?ui.js.*$/
)[1];
}
} catch (e) {
scriptBundlePath = "/pagefind/";
}
Expand Down
27 changes: 20 additions & 7 deletions pagefind_ui/modular/modular-core.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,12 @@ const sleep = async (ms = 50) =>

let scriptBundlePath;
try {
scriptBundlePath = new URL(document.currentScript.src).pathname.match(
/^(.*\/)(?:pagefind-)?modular-ui.js.*$/
)[1];
// Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
scriptBundlePath = new URL(document.currentScript.src).pathname.match(
/^(.*\/)(?:pagefind-)?modular-ui.js.*$/
)[1];
}
} catch (e) {
scriptBundlePath = "/pagefind/";
}
Expand Down Expand Up @@ -166,12 +169,22 @@ export class Instance {
console.error(
[
`Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
`You can configure this by passing a bundlePath option to PagefindComposable Instance`,
`[DEBUG: Loaded from ${
document?.currentScript?.src ?? "no known script location"
}]`,
`You can configure this by passing a bundlePath option to PagefindComposable Instance`
].join("\n")
);
// Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
if (
document?.currentScript &&
document.currentScript.tagName.toUpperCase() === "SCRIPT"
) {
console.error(
`[DEBUG: Loaded from ${
document.currentScript?.src ?? "bad script location"
}]`
);
} else {
console.error("no known script location");
}
}

await imported_pagefind.options(this.pagefindOptions || {});
Expand Down

0 comments on commit 14ec968

Please # to comment.