Skip to content
This repository was archived by the owner on May 7, 2026. It is now read-only.

fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation #159

Merged
pauldambra merged 1 commit into from
Apr 2, 2026
Merged

fix: prevent iframe leak in untainted prototype and avoid unnecessary iframe creation #159

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions packages/utils/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@ type BasePrototypeCache = {
const testableAccessors = {
Node: ['childNodes', 'parentNode', 'parentElement', 'textContent'] as const,
ShadowRoot: ['host', 'styleSheets'] as const,
Element: ['shadowRoot', 'querySelector', 'querySelectorAll'] as const,
Element: ['shadowRoot'] as const,
MutationObserver: [] as const,
} as const;

const testableMethods = {
Node: ['contains', 'getRootNode'] as const,
ShadowRoot: ['getSelection'],
Element: [],
Element: ['querySelector', 'querySelectorAll'],
MutationObserver: ['constructor'],
} as const;

Expand Down Expand Up @@ -102,23 +102,25 @@ export function getUntaintedPrototype<T extends keyof BasePrototypeCache>(
return candidate.prototype as BasePrototypeCache[T];
}

const iframeEl = document.createElement('iframe');
Copy link
Copy Markdown
Member

@pauldambra pauldambra Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could document.createElement fail?

in which case we'd be better with

let iframeEl: blah or blah = null
try {
    iframeEl = document.createElement('iframe');

very not sure if it's even possible for that to throw though!

try {
const iframeEl = document.createElement('iframe');
document.body.appendChild(iframeEl);
const win = iframeEl.contentWindow;
if (!win) return candidate.prototype as BasePrototypeCache[T];

// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any
const untaintedObject = (win as any)[key]
.prototype as BasePrototypeCache[T];
// cleanup
document.body.removeChild(iframeEl);

if (!untaintedObject) return defaultPrototype;

return (untaintedBasePrototype[key] = untaintedObject);
} catch {
return defaultPrototype;
} finally {
if (iframeEl.parentNode) {
document.body.removeChild(iframeEl);
}
}
}

Expand Down Expand Up @@ -225,14 +227,14 @@ export function shadowRoot(n: Node): ShadowRoot | null {
}

export function querySelector(n: Element, selectors: string): Element | null {
return getUntaintedAccessor('Element', n, 'querySelector')(selectors);
return getUntaintedMethod('Element', n, 'querySelector')(selectors);
}

export function querySelectorAll(
n: Element,
selectors: string,
): NodeListOf<Element> {
return getUntaintedAccessor('Element', n, 'querySelectorAll')(selectors);
return getUntaintedMethod('Element', n, 'querySelectorAll')(selectors);
}

export function mutationObserverCtor(): (typeof MutationObserver)['prototype']['constructor'] {
Expand Down
Loading