fix(security): DOM clobbering in auto public path (#7664)

web-infra-dev · Aug 23, 2024 · 0303c68 · 0303c68 · rspack-bot · Aug 23, 2024
1 parent b96bf7d
commit 0303c68
Show file tree

Hide file tree

Showing 58 changed files with 764 additions and 698 deletions.
diff --git a/crates/rspack_plugin_hmr/src/runtime/hot_module_replacement.js b/crates/rspack_plugin_hmr/src/runtime/hot_module_replacement.js
@@ -261,11 +261,10 @@ function hotCheck(applyOnUpdate) {
 					return waitForBlockingPromises(function () {
 						if (applyOnUpdate) {
 							return internalApply(applyOnUpdate);
-						} else {
-							return setStatus("ready").then(function () {
-								return updatedModules;
-							});
 						}
+						return setStatus("ready").then(function () {
+							return updatedModules;
+						});
 					});
 				});
 			});

diff --git a/crates/rspack_plugin_runtime/src/runtime_module/auto_public_path.rs b/crates/rspack_plugin_runtime/src/runtime_module/auto_public_path.rs
@@ -88,14 +88,17 @@ fn auto_public_path_template(filename: &str, output: &OutputOptions) -> String {
     if ({global}.importScripts) scriptUrl = {global}.location + "";
     var document = {global}.document;
     if (!scriptUrl && document) {{
-      if (document.currentScript) scriptUrl = document.currentScript.src;
-        if (!scriptUrl) {{
-          var scripts = document.getElementsByTagName("script");
-              if (scripts.length) {{
-                var i = scripts.length - 1;
-                while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
-              }}
-        }}
+      // Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
+      // but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
+      // and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
+      if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') scriptUrl = document.currentScript.src;
+      if (!scriptUrl) {{
+        var scripts = document.getElementsByTagName("script");
+            if (scripts.length) {{
+              var i = scripts.length - 1;
+              while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
+            }}
+      }}
       }}
     "#
     )

diff --git a/crates/rspack_plugin_runtime/src/runtime_module/runtime/javascript_hot_module_replacement.js b/crates/rspack_plugin_runtime/src/runtime_module/runtime/javascript_hot_module_replacement.js
@@ -103,15 +103,10 @@ function applyHandler(options) {
 	for (var moduleId in currentUpdate) {
 		if (__webpack_require__.o(currentUpdate, moduleId)) {
 			var newModuleFactory = currentUpdate[moduleId];
-			var result;
-			if (newModuleFactory) {
-				result = getAffectedModuleEffects(moduleId);
-			} else {
-				result = {
-					type: "disposed",
-					moduleId: moduleId
-				};
-			}
+			var result = newModuleFactory ? getAffectedModuleEffects(moduleId) : {
+				type: "disposed",
+				moduleId: moduleId
+			};
 			var abortError = false;
 			var doApply = false;
 			var doDispose = false;
@@ -132,10 +127,10 @@ function applyHandler(options) {
 					if (!options.ignoreDeclined)
 						abortError = new Error(
 							"Aborted because of declined dependency: " +
-								result.moduleId +
-								" in " +
-								result.parentId +
-								chainInfo
+							result.moduleId +
+							" in " +
+							result.parentId +
+							chainInfo
 						);
 					break;
 				case "unaccepted":
@@ -201,7 +196,7 @@ function applyHandler(options) {
 				errorHandler: module.hot._selfAccepted
 			});
 		}
-	}$HOT_TEST_OUTDATED$
+	} $HOT_TEST_OUTDATED$
 
 	var moduleOutdatedDependencies;
 	return {
@@ -221,7 +216,7 @@ function applyHandler(options) {
 				var data = {};
 
 				// Call dispose handlers
-				var disposeHandlers = module.hot._disposeHandlers;$HOT_TEST_DISPOSE$
+				var disposeHandlers = module.hot._disposeHandlers; $HOT_TEST_DISPOSE$
 				for (j = 0; j < disposeHandlers.length; j++) {
 					disposeHandlers[j].call(null, data);
 				}
@@ -262,7 +257,7 @@ function applyHandler(options) {
 			// insert new code
 			for (var updateModuleId in appliedUpdate) {
 				if (__webpack_require__.o(appliedUpdate, updateModuleId)) {
-					__webpack_require__.m[updateModuleId] = appliedUpdate[updateModuleId];$HOT_TEST_UPDATED$
+					__webpack_require__.m[updateModuleId] = appliedUpdate[updateModuleId]; $HOT_TEST_UPDATED$
 				}
 			}
 
@@ -287,7 +282,7 @@ function applyHandler(options) {
 							if (acceptCallback) {
 								if (callbacks.indexOf(acceptCallback) !== -1) continue;
 								callbacks.push(acceptCallback);
-								errorHandlers.push(errorHandler);$HOT_TEST_ACCEPT$
+								errorHandlers.push(errorHandler); $HOT_TEST_ACCEPT$
 								dependenciesForCallbacks.push(dependency);
 							}
 						}
@@ -348,17 +343,17 @@ function applyHandler(options) {
 								moduleId: moduleId,
 								module: __webpack_require__.c[moduleId]
 							});
-						} catch (err2) {
+						} catch (err1) {
 							if (options.onErrored) {
 								options.onErrored({
 									type: "self-accept-error-handler-errored",
 									moduleId: moduleId,
-									error: err2,
+									error: err1,
 									originalError: err
 								});
 							}
 							if (!options.ignoreErrored) {
-								reportError(err2);
+								reportError(err1);
 								reportError(err);
 							}
 						}

diff --git a/package.json b/package.json
@@ -77,7 +77,7 @@
     "rimraf": "3.0.2",
     "ts-jest": "29.1.2",
     "typescript": "5.0.2",
-    "webpack": "^5.92.0",
+    "webpack": "^5.94.0",
     "webpack-cli": "5.1.4"
   },
   "packageManager": "pnpm@9.3.0"

diff --git a/packages/rspack-test-tools/package.json b/packages/rspack-test-tools/package.json
@@ -64,7 +64,7 @@
     "pretty-format": "29.7.0",
     "rimraf": "3.0.2",
     "strip-ansi": "6.0.1",
-    "webpack": "^5.92.0",
+    "webpack": "^5.94.0",
     "webpack-merge": "5.9.0",
     "webpack-sources": "3.2.3"
   },

diff --git a/packages/rspack-test-tools/tests/__snapshots__/Defaults.test.js.snap b/packages/rspack-test-tools/tests/__snapshots__/Defaults.test.js.snap
@@ -48,7 +48,7 @@ Object {
     "environment": Object {
       "arrowFunction": true,
       "asyncFunction": true,
-      "bigIntLiteral": undefined,
+      "bigIntLiteral": true,
       "const": true,
       "destructuring": true,
       "document": true,
@@ -320,7 +320,7 @@ Object {
     "environment": Object {
       "arrowFunction": true,
       "asyncFunction": true,
-      "bigIntLiteral": undefined,
+      "bigIntLiteral": true,
       "const": true,
       "destructuring": true,
       "document": true,

diff --git a/packages/rspack-test-tools/tests/__snapshots__/StatsOutput.test.js.snap b/packages/rspack-test-tools/tests/__snapshots__/StatsOutput.test.js.snap
@@ -2,10 +2,10 @@
 
 exports[`statsOutput statsOutput/auxiliary-files-test should print correct stats for 1`] = `
 "PublicPath: auto
-asset bundle.js 2.27 KiB {909} [emitted] (name: main)
+asset bundle.js 2.6 KiB {909} [emitted] (name: main)
 asset 2710c5e36f8babb0a3a4.png 7 bytes ({909}) [emitted] [immutable] [from: raw.png] (auxiliary name: main)
-Entrypoint main 2.27 KiB (7 bytes) = bundle.js 2.27 KiB (2710c5e36f8babb0a3a4.png 7 bytes)
-chunk {909} (runtime: main) bundle.js (main) 7 bytes (asset) 159 bytes (javascript) 1.28 KiB (runtime) [entry] [rendered]
+Entrypoint main 2.6 KiB (7 bytes) = bundle.js 2.6 KiB (2710c5e36f8babb0a3a4.png 7 bytes)
+chunk {909} (runtime: main) bundle.js (main) 7 bytes (asset) 159 bytes (javascript) 1.61 KiB (runtime) [entry] [rendered]
   > ./index main
   ./index.js + 1 modules [686] 117 bytes {909} [depth 0] [code generated]
     [no exports]
@@ -51,15 +51,15 @@ modules by path ./ 235 bytes (javascript) 7 bytes (asset)
       [no exports]
       [no exports used]
       esm import ./raw.png ./index.js
-runtime modules 1.28 KiB
-  webpack/runtime/auto_public_path 1.06 KiB {909} [code generated]
+runtime modules 1.61 KiB
+  webpack/runtime/auto_public_path 1.39 KiB {909} [code generated]
     [no exports]
     [used exports unknown]
   webpack/runtime/global 223 bytes {909} [code generated]
     [no exports]
     [used exports unknown]
   
-Rspack compiled successfully (c12084bf03e12a353092)"
+Rspack compiled successfully (2626c5e238d43a8c50f3)"
 `;
 
 exports[`statsOutput statsOutput/builtin-swc-loader-parse-error should print correct stats for 1`] = `
@@ -93,18 +93,18 @@ Rspack x.x.x compiled with 1 error in X s"
 `;
 
 exports[`statsOutput statsOutput/filename should print correct stats for 1`] = `
-"asset 909.xxxx.js 8.81 KiB [emitted] (name: main)
+"asset 909.xxxx.js 9.14 KiB [emitted] (name: main)
 asset 521.xxxx.js 337 bytes [emitted]
-runtime modules 7.21 KiB 11 modules
+runtime modules 7.54 KiB 11 modules
 cacheable modules 70 bytes
   ./index.js 38 bytes [built] [code generated]
   ./dynamic.js 32 bytes [built] [code generated]
 Rspack x.x.x compiled successfully in X s"
 `;
 
 exports[`statsOutput statsOutput/hot+production should print correct stats for 1`] = `
-"asset main.js 35.2 KiB [emitted] (name: main)
-runtime modules 32.8 KiB 12 modules
+"asset main.js 35.5 KiB [emitted] (name: main)
+runtime modules 33.1 KiB 12 modules
 ./index.js 25 bytes [built] [code generated]
 Rspack x.x.x compiled successfully in X s"
 `;
@@ -157,32 +157,32 @@ exports[`statsOutput statsOutput/limit-chunk-count-plugin should print correct s
   1 chunks (Rspack x.x.x) compiled successfully in X s
 
 2 chunks:
-  asset bundle2.js 10.2 KiB [emitted] (name: main)
+  asset bundle2.js 10.5 KiB [emitted] (name: main)
   asset 76.bundle2.js 497 bytes [emitted] (name: c)
   chunk (runtime: main) 76.bundle2.js (c) 74 bytes <{76}> <{909}> >{76}< [rendered]
     dependent modules 44 bytes [dependent] 2 modules
     ./c.js 30 bytes [built] [code generated]
-  chunk (runtime: main) bundle2.js (main) 145 bytes (javascript) 8.4 KiB (runtime) >{76}< [entry] [rendered]
+  chunk (runtime: main) bundle2.js (main) 145 bytes (javascript) 8.73 KiB (runtime) >{76}< [entry] [rendered]
     dependent modules 22 bytes [dependent] 1 module
     ./index.js 123 bytes [built] [code generated]
   2 chunks (Rspack x.x.x) compiled successfully in X s
 
 3 chunks:
-  asset bundle3.js 10.2 KiB [emitted] (name: main)
+  asset bundle3.js 10.5 KiB [emitted] (name: main)
   asset 76.bundle3.js 387 bytes [emitted] (name: c)
   asset 345.bundle3.js 186 bytes [emitted]
   chunk (runtime: main) 345.bundle3.js 44 bytes <{76}> [rendered]
     ./d.js 22 bytes [built] [code generated]
     ./e.js 22 bytes [built] [code generated]
   chunk (runtime: main) 76.bundle3.js (c) 30 bytes <{909}> >{345}< [rendered]
     ./c.js 30 bytes [built] [code generated]
-  chunk (runtime: main) bundle3.js (main) 145 bytes (javascript) 8.4 KiB (runtime) >{76}< [entry] [rendered]
+  chunk (runtime: main) bundle3.js (main) 145 bytes (javascript) 8.73 KiB (runtime) >{76}< [entry] [rendered]
     dependent modules 22 bytes [dependent] 1 module
     ./index.js 123 bytes [built] [code generated]
   3 chunks (Rspack x.x.x) compiled successfully in X s
 
 4 chunks:
-  asset bundle4.js 10.2 KiB [emitted] (name: main)
+  asset bundle4.js 10.5 KiB [emitted] (name: main)
   asset 76.bundle4.js 387 bytes [emitted] (name: c)
   asset 697.bundle4.js 130 bytes [emitted]
   asset 753.bundle4.js 130 bytes [emitted]
@@ -192,7 +192,7 @@ exports[`statsOutput statsOutput/limit-chunk-count-plugin should print correct s
     ./d.js 22 bytes [built] [code generated]
   chunk (runtime: main) 76.bundle4.js (c) 30 bytes <{909}> >{697}< >{753}< [rendered]
     ./c.js 30 bytes [built] [code generated]
-  chunk (runtime: main) bundle4.js (main) 145 bytes (javascript) 8.4 KiB (runtime) >{76}< [entry] [rendered]
+  chunk (runtime: main) bundle4.js (main) 145 bytes (javascript) 8.73 KiB (runtime) >{76}< [entry] [rendered]
     dependent modules 22 bytes [dependent] 1 module
     ./index.js 123 bytes [built] [code generated]
   4 chunks (Rspack x.x.x) compiled successfully in X s"
@@ -220,7 +220,7 @@ Rspack compiled with 1 error"
 `;
 
 exports[`statsOutput statsOutput/named-chunk-group should print correct stats for 1`] = `
-"Entrypoint main 8.8 KiB = main.js
+"Entrypoint main 9.13 KiB = main.js
 Chunk Group cimanyd 337 bytes = cimanyd.js"
 `;
 
@@ -236,13 +236,13 @@ Rspack compiled with 1 error"
 `;
 
 exports[`statsOutput statsOutput/optimization-chunk-ids-natural should print correct stats for 1`] = `
-"Entrypoint e1 10.4 KiB = e1.js
-Entrypoint e2 10.3 KiB = e2.js
+"Entrypoint e1 10.7 KiB = e1.js
+Entrypoint e2 10.6 KiB = e2.js
 chunk (runtime: e1) 0.js 24 bytes [rendered]
 chunk (runtime: e1) 1.js 52 bytes [rendered]
 chunk (runtime: e1, e2) 2.js 22 bytes [rendered]
-chunk (runtime: e1) e1.js (e1) 74 bytes (javascript) 8.39 KiB (runtime) [entry] [rendered]
-chunk (runtime: e2) e2.js (e2) 51 bytes (javascript) 8.39 KiB (runtime) [entry] [rendered]"
+chunk (runtime: e1) e1.js (e1) 74 bytes (javascript) 8.72 KiB (runtime) [entry] [rendered]
+chunk (runtime: e2) e2.js (e2) 51 bytes (javascript) 8.72 KiB (runtime) [entry] [rendered]"
 `;
 
 exports[`statsOutput statsOutput/optimization-runtime-chunk should print correct stats for 1`] = `
@@ -300,11 +300,11 @@ Rspack compiled with 1 error"
 `;
 
 exports[`statsOutput statsOutput/performance-disabled should print correct stats for 1`] = `
-"asset main.js 303 KiB [emitted] (name: main)
+"asset main.js 304 KiB [emitted] (name: main)
 asset 697.js 130 bytes [emitted]
 asset 753.js 130 bytes [emitted]
-Entrypoint main 303 KiB = main.js
-runtime modules 8.39 KiB 12 modules
+Entrypoint main 304 KiB = main.js
+runtime modules 8.72 KiB 12 modules
 cacheable modules 293 KiB
   ./index.js 49 bytes [built] [code generated]
   ./a.js 293 KiB [built] [code generated]
@@ -316,11 +316,11 @@ Rspack x.x.x compiled successfully in X s"
 `;
 
 exports[`statsOutput statsOutput/performance-error should print correct stats for 1`] = `
-"asset main.js 303 KiB [emitted] [big] (name: main)
+"asset main.js 304 KiB [emitted] [big] (name: main)
 asset 697.js 130 bytes [emitted]
 asset 753.js 130 bytes [emitted]
-Entrypoint main [big] 303 KiB = main.js
-runtime modules 8.39 KiB 12 modules
+Entrypoint main [big] 304 KiB = main.js
+runtime modules 8.72 KiB 12 modules
 cacheable modules 293 KiB
   ./index.js 48 bytes [built] [code generated]
   ./a.js 293 KiB [built] [code generated]
@@ -330,23 +330,23 @@ cacheable modules 293 KiB
   ./e.js 22 bytes [built] [code generated]
 
 ERROR in × asset size limit: The following asset(s) exceed the recommended size limit (244.141 KiB). This can impact web performance.Assets:
-  │   main.js (303.362 KiB)
+  │   main.js (303.692 KiB)
 
 
 ERROR in × entrypoint size limit: The following entrypoint(s) combined asset size exceeds the recommended limit (244.141 KiB). This can impact web performance.Entrypoints:
-  │   main (303.362 KiB)
+  │   main (303.692 KiB)
   │       main.js
 
 
 Rspack x.x.x compiled with 2 errors in X s"
 `;
 
 exports[`statsOutput statsOutput/performance-no-hints should print correct stats for 1`] = `
-"asset main.js 303 KiB [emitted] [big] (name: main)
+"asset main.js 304 KiB [emitted] [big] (name: main)
 asset 697.js 130 bytes [emitted]
 asset 753.js 130 bytes [emitted]
-Entrypoint main [big] 303 KiB = main.js
-runtime modules 8.39 KiB 12 modules
+Entrypoint main [big] 304 KiB = main.js
+runtime modules 8.72 KiB 12 modules
 cacheable modules 293 KiB
   ./index.js 48 bytes [built] [code generated]
   ./a.js 293 KiB [built] [code generated]
@@ -368,7 +368,7 @@ chunk (runtime: main) a2.js (a2) 1 bytes <{74}> [rendered]
 chunk (runtime: main) b.js (b) 203 bytes <{909}> >{438}< >{439}< >{826}< (prefetch: {826} {438}) (preload: {439}) [rendered]
 chunk (runtime: main) c.js (c) 134 bytes <{909}> >{380}< >{433}< (preload: {433} {380}) [rendered]
 chunk (runtime: main) b1.js (b1) 1 bytes <{751}> [rendered]
-chunk (runtime: main) main.js (main) 195 bytes (javascript) 11.6 KiB (runtime) >{74}< >{751}< >{76}< (prefetch: {74} {751} {76}) [entry] [rendered]"
+chunk (runtime: main) main.js (main) 195 bytes (javascript) 12 KiB (runtime) >{74}< >{751}< >{76}< (prefetch: {74} {751} {76}) [entry] [rendered]"
 `;
 
 exports[`statsOutput statsOutput/reasons should print correct stats for 1`] = `

diff --git a/packages/rspack-test-tools/tests/defaultsCases/config/browserslist.js b/packages/rspack-test-tools/tests/defaultsCases/config/browserslist.js
@@ -16,7 +16,7 @@ module.exports = {
 		@@ ... @@
 		-       "arrowFunction": true,
 		-       "asyncFunction": true,
-		-       "bigIntLiteral": undefined,
+		-       "bigIntLiteral": true,
 		-       "const": true,
 		-       "destructuring": true,
 		+       "arrowFunction": false,
@@ -50,7 +50,7 @@ module.exports = {
 		@@ ... @@
 		-       "arrowFunction": true,
 		-       "asyncFunction": true,
-		-       "bigIntLiteral": undefined,
+		-       "bigIntLiteral": true,
 		-       "const": true,
 		-       "destructuring": true,
 		+       "arrowFunction": false,
Name	Base (2024-08-23 2d18cc2)	Current	Change
10000_development-mode + exec	2.37 s ± 25 ms	2.39 s ± 39 ms	+0.84 %
10000_development-mode_hmr + exec	705 ms ± 15 ms	710 ms ± 5.6 ms	+0.69 %
10000_production-mode + exec	3.03 s ± 26 ms	3.07 s ± 34 ms	+1.53 %
arco-pro_development-mode + exec	1.9 s ± 88 ms	1.9 s ± 56 ms	-0.43 %
arco-pro_development-mode_hmr + exec	437 ms ± 2.6 ms	438 ms ± 2.4 ms	+0.24 %
arco-pro_production-mode + exec	3.47 s ± 54 ms	3.52 s ± 60 ms	+1.40 %
arco-pro_production-mode_generate-package-json-webpack-plugin + exec	3.53 s ± 69 ms	3.56 s ± 71 ms	+0.95 %
threejs_development-mode_10x + exec	1.69 s ± 15 ms	1.7 s ± 22 ms	+0.30 %
threejs_development-mode_10x_hmr + exec	800 ms ± 10 ms	803 ms ± 8.1 ms	+0.30 %
threejs_production-mode_10x + exec	5.49 s ± 29 ms	5.56 s ± 24 ms	+1.36 %
suite	result
modernjs	✅ success
_selftest	✅ success
nx	❌ failure
rspress	✅ success
rslib	✅ success
rsbuild	✅ success
examples	✅ success