taint check fix for when document.currentScript is undefined (#307)

Author: jonathanKingston

integration-test/pages/runtimeChecks/index.html

@@ -0,0 +1,6 @@
+<html lang="en">
+  <body>
+    <h1>Check for stack tracing</h1>
+    <script src="script.js"></script>
+  </body>
+</html>

integration-test/pages/runtimeChecks/script.js

@@ -0,0 +1,12 @@
+function init () {
+    window.script1Ran = true
+    const script = document.createElement('script')
+    script.src = './script2.js'
+    script.id = 'script2'
+    script.setAttribute('magicalAttribute', 'yes')
+    document.body.appendChild(script)
+}
+// Wait for setup
+window.addEventListener('initialize', (e) => {
+    init()
+})

integration-test/pages/runtimeChecks/script2.js

@@ -0,0 +1,2 @@
+window.script2Ran = true
+window.dispatchEvent(new CustomEvent('initializeFinished'))

integration-test/test-runtime-checks.js

@@ -432,4 +432,60 @@ describe('Runtime checks: should allow element modification', () => {
             type: 'application/javascript'
         })
     })
+
+    it('Verify stack tracing', async () => {
+        const port = server.address().port
+        const page = await browser.newPage()
+        await gotoAndWait(page, `http://localhost:${port}/runtimeChecks/index.html`, {
+            site: {
+                enabledFeatures: ['runtimeChecks']
+            },
+            featureSettings: {
+                runtimeChecks: {
+                    taintCheck: 'enabled',
+                    matchAllDomains: 'enabled',
+                    matchAllStackDomains: 'disabled',
+                    stackDomains: [
+                        {
+                            domain: 'localhost'
+                        }
+                    ],
+                    tagModifiers: {
+                        script: {
+                            filters: {
+                                // verify the runtime check did run for the stack traced script and filtered the attribute
+                                attribute: ['magicalattribute']
+                            }
+                        }
+                    }
+                }
+            }
+        })
+        // And now with a script that will execute
+        const pageResults = await page.evaluate(
+            async () => {
+                window.dispatchEvent(new Event('initialize'))
+                await new Promise(resolve => {
+                    window.addEventListener('initializeFinished', () => {
+                        resolve()
+                    })
+                })
+                const scripty = document.querySelector('script#script2')
+
+                return {
+                    // @ts-expect-error https://app.asana.com/0/1201614831475344/1203979574128023/f
+                    script1: window.script1Ran,
+                    // @ts-expect-error https://app.asana.com/0/1201614831475344/1203979574128023/f
+                    script2: window.script2Ran,
+                    // @ts-expect-error https://app.asana.com/0/1201614831475344/1203979574128023/f
+                    magicalProperty: scripty.magicalProperty
+                }
+            }
+        )
+        expect(pageResults).toEqual({
+            script1: true,
+            script2: true
+            // no magical property
+        })
+    })
 })

src/features/runtime-checks.js

@@ -21,7 +21,7 @@ function shouldFilterKey (tagName, filterName, key) {
 
 let elementRemovalTimeout
 const featureName = 'runtimeChecks'
-const symbol = Symbol(featureName)
+const taintSymbol = Symbol(featureName)
 const supportedSinks = ['src']
 
 class DDGRuntimeChecks extends HTMLElement {
@@ -99,7 +99,7 @@ class DDGRuntimeChecks extends HTMLElement {
 
         if (taintCheck) {
             // Add a symbol to the element so we can identify it as a runtime checked element
-            Object.defineProperty(el, symbol, { value: true, configurable: false, enumerable: false, writable: false })
+            Object.defineProperty(el, taintSymbol, { value: true, configurable: false, enumerable: false, writable: false })
         }
 
         // Reflect all attrs to the new element
@@ -313,7 +313,7 @@ function shouldInterrogate (tagName) {
     if (matchAllStackDomains) {
         return true
     }
-    if (taintCheck && document.currentScript[symbol]) {
+    if (taintCheck && document.currentScript?.[taintSymbol]) {
         return true
     }
     const stack = getStack()