add patches to fix DOM clobbering

cherriechang · cherriechang · commit 80c4989431c1 · 2025-01-08T15:47:27.000-05:00
diff --git a/packages/config/rollup.js b/packages/config/rollup.js
@@ -81,6 +81,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         esbuild({ ...esBuildPluginOptions, target: "node18" }),
         commonjs(commonjsPluginOptions),
       ],
@@ -111,6 +120,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "esnext" }),
         commonjs(commonjsPluginOptions),
@@ -135,6 +153,15 @@ const makeConfig = ({
           find: /'__CITATIONS__'/g,
           replace: JSON.stringify(citationData, null, 2),
         }),
+        modify({
+          // Patch to mitigate DOM Clobbering vulnerability
+          find: /document\.currentScript/g,
+          replace: `(typeof document !== 'undefined' &&
+                    document.currentScript &&
+                    document.currentScript.tagName &&
+                    document.currentScript.tagName.toUpperCase() === 'SCRIPT' &&
+                    document.currentScript)`,
+        }),
         resolve({ preferBuiltins: false }),
         esbuild({ ...esBuildPluginOptions, target: "es2015", minify: true }),
         commonjs(commonjsPluginOptions),
