Merge pull request #696 from CloudCannon/fix/dom-clobber

bglw · web-flow · commit 14ec96864eab · 2024-09-03T13:34:01.000+12:00
Add safety checks around accesses for `document.currentScript.src`
diff --git a/pagefind_ui/default/svelte/ui.svelte b/pagefind_ui/default/svelte/ui.svelte
@@ -99,11 +99,21 @@
           [
             `Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
             `You can configure this by passing a bundlePath option to PagefindUI`,
-            `[DEBUG: Loaded from ${
-              document?.currentScript?.src ?? "no known script location"
-            }]`,
           ].join("\n")
         );
+        // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+        if (
+          document?.currentScript &&
+          document.currentScript.tagName.toUpperCase() === "SCRIPT"
+        ) {
+          console.error(
+            `[DEBUG: Loaded from ${
+              document.currentScript.src ?? "bad script location"
+            }]`
+          );
+        } else {
+          console.error("no known script location");
+        }
       }
 
       if (!excerpt_length) {
diff --git a/pagefind_ui/default/ui-core.js b/pagefind_ui/default/ui-core.js
@@ -2,9 +2,12 @@ import PagefindSvelte from "./svelte/ui.svelte";
 
 let scriptBundlePath;
 try {
-  scriptBundlePath = new URL(document.currentScript.src).pathname.match(
-    /^(.*\/)(?:pagefind-)?ui.js.*$/
-  )[1];
+  // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+  if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
+    scriptBundlePath = new URL(document.currentScript.src).pathname.match(
+      /^(.*\/)(?:pagefind-)?ui.js.*$/
+    )[1];
+  }
 } catch (e) {
   scriptBundlePath = "/pagefind/";
 }
diff --git a/pagefind_ui/modular/modular-core.js b/pagefind_ui/modular/modular-core.js
@@ -8,9 +8,12 @@ const sleep = async (ms = 50) =>
 
 let scriptBundlePath;
 try {
-  scriptBundlePath = new URL(document.currentScript.src).pathname.match(
-    /^(.*\/)(?:pagefind-)?modular-ui.js.*$/
-  )[1];
+  // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+  if (document?.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') {
+    scriptBundlePath = new URL(document.currentScript.src).pathname.match(
+      /^(.*\/)(?:pagefind-)?modular-ui.js.*$/
+    )[1];
+  }
 } catch (e) {
   scriptBundlePath = "/pagefind/";
 }
@@ -166,12 +169,22 @@ export class Instance {
         console.error(
           [
             `Pagefind couldn't be loaded from ${this.options.bundlePath}pagefind.js`,
-            `You can configure this by passing a bundlePath option to PagefindComposable Instance`,
-            `[DEBUG: Loaded from ${
-              document?.currentScript?.src ?? "no known script location"
-            }]`,
+            `You can configure this by passing a bundlePath option to PagefindComposable Instance`
           ].join("\n")
         );
+        // Important: Check that the element is indeed a <script> node, to avoid a DOM clobbering vulnerability
+        if (
+          document?.currentScript &&
+          document.currentScript.tagName.toUpperCase() === "SCRIPT"
+        ) {
+          console.error(
+            `[DEBUG: Loaded from ${
+              document.currentScript?.src ?? "bad script location"
+            }]`
+          );
+        } else {
+          console.error("no known script location");
+        }
       }
 
       await imported_pagefind.options(this.pagefindOptions || {});
