Fix DOM Clobbering CVE (#5671)

Author: lukastaegert

src/ast/nodes/MetaProperty.ts

@@ -1,10 +1,10 @@
 import type MagicString from 'magic-string';
 import type { InternalModuleFormat } from '../../rollup/types';
-import type { PluginDriver } from '../../utils/PluginDriver';
 import { escapeId } from '../../utils/escapeId';
 import type { GenerateCodeSnippets } from '../../utils/generateCodeSnippets';
 import { DOCUMENT_CURRENT_SCRIPT } from '../../utils/interopHelpers';
 import { dirname, normalize, relative } from '../../utils/path';
+import type { PluginDriver } from '../../utils/PluginDriver';
 import type { RenderOptions } from '../../utils/renderHelpers';
 import type { NodeInteraction } from '../NodeInteractions';
 import { INTERACTION_ACCESSED } from '../NodeInteractions';
@@ -158,7 +158,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
 	getResolveUrl(
 		`'${escapeId(relativePath)}', ${
 			umd ? `typeof document === 'undefined' ? location.href : ` : ''
-		}document.currentScript && document.currentScript.src || document.baseURI`
+		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
 	);
 
 const getGenericImportMetaMechanism =
@@ -180,7 +180,7 @@ const getFileUrlFromRelativePath = (path: string) =>
 const getUrlFromDocument = (chunkId: string, umd = false) =>
 	`${
 		umd ? `typeof document === 'undefined' ? location.href : ` : ''
-	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
+	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
 		chunkId
 	)}', document.baseURI).href)`;
 

test/chunking-form/samples/asset-needs-code-reference/_expected/cjs/main.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var asset2 = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/logo2.svg').href : new URL('logo2.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var asset2 = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/logo2.svg').href : new URL('logo2.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 {
 	const image = document.createElement('img');

test/chunking-form/samples/emit-file/emit-chunk-with-importer/_expected/cjs/main.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/nested.js

@@ -1,3 +1,3 @@
 'use strict';
 
-PLACEHOLDER((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+PLACEHOLDER((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js

@@ -3,7 +3,7 @@
 var shared = require('./chunks/shared.js');
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/main.js

@@ -2,6 +2,6 @@
 
 var shared = require('./chunks/shared.js');
 
-CSS.paintWorklet.addModule((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+CSS.paintWorklet.addModule((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 document.body.innerHTML += `<h1 style="background-image: paint(vertical-lines);">color: ${shared.color}, size: ${shared.size}</h1>`;

test/chunking-form/samples/emit-file/emit-chunk-worklet/_expected/cjs/main.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/assets/logo1-FquQRdV3.svg').href : new URL('assets/logo1-FquQRdV3.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/assets/logo1-FquQRdV3.svg').href : new URL('assets/logo1-FquQRdV3.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 function showImage(url) {
 	console.log(url);

test/chunking-form/samples/emit-file/reference-files/_expected/cjs/main.js

@@ -2,6 +2,6 @@
 
 var main = require('../main.js');
 
-var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/../assets/logo2-DJfvToLT.svg').href : new URL('../assets/logo2-DJfvToLT.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/../assets/logo2-DJfvToLT.svg').href : new URL('../assets/logo2-DJfvToLT.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 main.showImage(logo);

test/chunking-form/samples/emit-file/reference-files/_expected/cjs/nested/chunk.js

@@ -1,6 +1,6 @@
 'use strict';
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-const url = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('0/1/nested.js', document.baseURI).href));
+const url = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('0/1/nested.js', document.baseURI).href));
 
 exports.url = url;

test/chunking-form/samples/emit-file/set-asset-source/_expected/cjs/main.js

@@ -9,7 +9,7 @@ function log(url) {
 	}
 }
 
-log('main: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('main.js', document.baseURI).href)));
+log('main: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('main.js', document.baseURI).href)));
 Promise.resolve().then(function () { return require('./nested/chunk.js'); });
 
 exports.log = log;

test/chunking-form/samples/import-meta-numeric-paths/_expected/cjs/0/1/nested.js

@@ -3,4 +3,4 @@
 var main = require('../main.js');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-main.log('nested: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('nested/chunk.js', document.baseURI).href)));
+main.log('nested: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('nested/chunk.js', document.baseURI).href)));

test/chunking-form/samples/import-meta-url/_expected/cjs/main.js

@@ -1,7 +1,7 @@
 'use strict';
 
 var num = 2;
-console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));
+console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 exports.num = num;
 console.log({
@@ -18,24 +18,24 @@ console.log({
   "name": "dep2",
   "type": "chunk",
   "dynamicImports": [],
-  "fileName": "chunk-dep2-DaLIbws0.js",
+  "fileName": "chunk-dep2-Cr_zOuBy.js",
   "implicitlyLoadedBefore": [],
   "importedBindings": {},
   "imports": [],
   "modules": {
     "**/dep2.js": {
-      "code": "var num = 2;\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));",
+      "code": "var num = 2;\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));",
       "originalLength": 19,
       "removedExports": [],
       "renderedExports": [
         "num"
       ],
-      "renderedLength": 269
+      "renderedLength": 330
     }
   },
   "referencedFiles": [
     "asset-test-C4X7hChn"
   ]
 });
-console.log('all chunks', ["entry-main1-s6RHXqBe.js","entry-main2-DPo9-iBy.js","chunk-dep2-DaLIbws0.js"])
+console.log('all chunks', ["entry-main1-CW_cw0go.js","entry-main2-CvqsXhWd.js","chunk-dep2-Cr_zOuBy.js"])
 console.log('referenced asset in renderChunk', 'asset-test-C4X7hChn');

test/chunking-form/samples/import-meta-url/_expected/cjs/nested/chunk.js

@@ -1,12 +1,12 @@
 'use strict';
 
-var dep2 = require('./chunk-dep2-DaLIbws0.js');
+var dep2 = require('./chunk-dep2-Cr_zOuBy.js');
 
 var num = 1;
-console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));
+console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 console.log(num + dep2.num);
-console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));
+console.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 console.log({
   "exports": [],
   "facadeModuleId": "**/main1.js",
@@ -20,37 +20,37 @@ console.log({
   "name": "main1",
   "type": "chunk",
   "dynamicImports": [],
-  "fileName": "entry-main1-s6RHXqBe.js",
+  "fileName": "entry-main1-CW_cw0go.js",
   "implicitlyLoadedBefore": [],
   "importedBindings": {
-    "chunk-dep2-DaLIbws0.js": [
+    "chunk-dep2-Cr_zOuBy.js": [
       "num"
     ]
   },
   "imports": [
-    "chunk-dep2-DaLIbws0.js"
+    "chunk-dep2-Cr_zOuBy.js"
   ],
   "modules": {
     "**/dep1.js": {
-      "code": "var num = 1;\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));",
+      "code": "var num = 1;\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));",
       "originalLength": 19,
       "removedExports": [],
       "renderedExports": [
         "num"
       ],
-      "renderedLength": 269
+      "renderedLength": 330
     },
     "**/main1.js": {
-      "code": "console.log(num + dep2.num);\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.src || document.baseURI).href));",
+      "code": "console.log(num + dep2.num);\nconsole.log('referenced asset', (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/asset-test-C4X7hChn').href : new URL('asset-test-C4X7hChn', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));",
       "originalLength": 102,
       "removedExports": [],
       "renderedExports": [],
-      "renderedLength": 285
+      "renderedLength": 346
     }
   },
   "referencedFiles": [
     "asset-test-C4X7hChn"
   ]
 });
-console.log('all chunks', ["entry-main1-s6RHXqBe.js","entry-main2-DPo9-iBy.js","chunk-dep2-DaLIbws0.js"])
+console.log('all chunks', ["entry-main1-CW_cw0go.js","entry-main2-CvqsXhWd.js","chunk-dep2-Cr_zOuBy.js"])
 console.log('referenced asset in renderChunk', 'asset-test-C4X7hChn');