Fix DOM Clobbering CVE

Author: lukastaegert

src/ast/nodes/MetaProperty.ts

@@ -1,10 +1,10 @@
 import type MagicString from 'magic-string';
 import type { InternalModuleFormat } from '../../rollup/types';
-import type { PluginDriver } from '../../utils/PluginDriver';
 import { escapeId } from '../../utils/escapeId';
 import type { GenerateCodeSnippets } from '../../utils/generateCodeSnippets';
 import { DOCUMENT_CURRENT_SCRIPT } from '../../utils/interopHelpers';
 import { dirname, normalize, relative } from '../../utils/path';
+import type { PluginDriver } from '../../utils/PluginDriver';
 import type { RenderOptions } from '../../utils/renderHelpers';
 import type { NodeInteraction } from '../NodeInteractions';
 import { INTERACTION_ACCESSED } from '../NodeInteractions';
@@ -158,7 +158,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
 	getResolveUrl(
 		`'${escapeId(relativePath)}', ${
 			umd ? `typeof document === 'undefined' ? location.href : ` : ''
-		}document.currentScript && document.currentScript.src || document.baseURI`
+		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
 	);
 
 const getGenericImportMetaMechanism =
@@ -180,7 +180,7 @@ const getFileUrlFromRelativePath = (path: string) =>
 const getUrlFromDocument = (chunkId: string, umd = false) =>
 	`${
 		umd ? `typeof document === 'undefined' ? location.href : ` : ''
-	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
+	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
 		chunkId
 	)}', document.baseURI).href)`;
 

test/chunking-form/samples/asset-needs-code-reference/_expected/cjs/main.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var asset2 = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/logo2.svg').href : new URL('logo2.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var asset2 = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/logo2.svg').href : new URL('logo2.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 {
 	const image = document.createElement('img');

test/chunking-form/samples/emit-file/emit-chunk-with-importer/_expected/cjs/main.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker-proxy.js').href : new URL('worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/nested.js

@@ -1,3 +1,3 @@
 'use strict';
 
-PLACEHOLDER((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+PLACEHOLDER((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/worker.js').href : new URL('worker.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/chunks/worker-proxy.js

@@ -3,7 +3,7 @@
 var shared = require('./chunks/shared.js');
 
 const getWorkerMessage = () => new Promise(resolve => {
-  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+  const worker = new Worker((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worker-proxy.js').href : new URL('chunks/worker-proxy.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
   worker.onmessage = resolve;
 });
 

test/chunking-form/samples/emit-file/emit-chunk-worker/_expected/cjs/main.js

@@ -2,6 +2,6 @@
 
 var shared = require('./chunks/shared.js');
 
-CSS.paintWorklet.addModule((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.src || document.baseURI).href));
+CSS.paintWorklet.addModule((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/chunks/worklet.js').href : new URL('chunks/worklet.js', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href));
 
 document.body.innerHTML += `<h1 style="background-image: paint(vertical-lines);">color: ${shared.color}, size: ${shared.size}</h1>`;

test/chunking-form/samples/emit-file/emit-chunk-worklet/_expected/cjs/main.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/assets/logo1-FquQRdV3.svg').href : new URL('assets/logo1-FquQRdV3.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/assets/logo1-FquQRdV3.svg').href : new URL('assets/logo1-FquQRdV3.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 function showImage(url) {
 	console.log(url);

test/chunking-form/samples/emit-file/reference-files/_expected/cjs/main.js

@@ -2,6 +2,6 @@
 
 var main = require('../main.js');
 
-var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/../assets/logo2-DJfvToLT.svg').href : new URL('../assets/logo2-DJfvToLT.svg', document.currentScript && document.currentScript.src || document.baseURI).href);
+var logo = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__dirname + '/../assets/logo2-DJfvToLT.svg').href : new URL('../assets/logo2-DJfvToLT.svg', document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI).href);
 
 main.showImage(logo);

test/chunking-form/samples/emit-file/reference-files/_expected/cjs/nested/chunk.js

@@ -1,6 +1,6 @@
 'use strict';
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-const url = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('0/1/nested.js', document.baseURI).href));
+const url = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('0/1/nested.js', document.baseURI).href));
 
 exports.url = url;

test/chunking-form/samples/emit-file/set-asset-source/_expected/cjs/main.js

@@ -9,7 +9,7 @@ function log(url) {
 	}
 }
 
-log('main: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('main.js', document.baseURI).href)));
+log('main: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('main.js', document.baseURI).href)));
 Promise.resolve().then(function () { return require('./nested/chunk.js'); });
 
 exports.log = log;

test/chunking-form/samples/import-meta-numeric-paths/_expected/cjs/0/1/nested.js

@@ -3,4 +3,4 @@
 var main = require('../main.js');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
-main.log('nested: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('nested/chunk.js', document.baseURI).href)));
+main.log('nested: ' + (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('nested/chunk.js', document.baseURI).href)));