add patches to fix DOM clobbering

2025-05-10 11:10:54 +00:00 · 2025-01-08 15:47:27 -05:00 · 2025-01-08 15:47:27 -05:00 · 80c4989431
commit 80c4989431
parent 54be7a03c8
1 changed files with 27 additions and 0 deletions
--- a/packages/config/rollup.js
+++ b/packages/config/rollup.js
@ -81,6 +81,15 @@ const makeConfig = ({
          find: /'__CITATIONS__'/g,
          replace: JSON.stringify(citationData, null, 2),
        }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
        esbuild({ ...esBuildPluginOptions, target: "node18" }),
        commonjs(commonjsPluginOptions),
      ],
@ -111,6 +120,15 @@ const makeConfig = ({
          find: /'__CITATIONS__'/g,
          replace: JSON.stringify(citationData, null, 2),
        }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
        resolve({ preferBuiltins: false }),
        esbuild({ ...esBuildPluginOptions, target: "esnext" }),
        commonjs(commonjsPluginOptions),
@ -135,6 +153,15 @@ const makeConfig = ({
          find: /'__CITATIONS__'/g,
          replace: JSON.stringify(citationData, null, 2),
        }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
        resolve({ preferBuiltins: false }),
        esbuild({ ...esBuildPluginOptions, target: "es2015", minify: true }),
        commonjs(commonjsPluginOptions),