LibWeb: Avoid UAF when encoding a fetch request body via URLSearchParams

Author: https://github.com/trflynn89
Commit: https://github.com/SerenityOS/serenity/commit/69b5d7c0e6
Pull-request: https://github.com/SerenityOS/serenity/pull/23826
Reviewed-by: https://github.com/awesomekling ✅

Tests/LibWeb/Text/expected/fetch-request-url-search-params.txt

@@ -0,0 +1 @@
+username=buggie&password=hunter2

Tests/LibWeb/Text/input/fetch-request-url-search-params.html

@@ -0,0 +1,16 @@
+<script src="include.js"></script>
+<script type="text/javascript">
+    asyncTest(async done => {
+        const body = new URLSearchParams();
+        body.append("username", "buggie");
+        body.append("password", "hunter2");
+
+        const request = new Request("fetch-url-search-params.html", {
+            method: "POST",
+            body: body,
+        });
+
+        println(await request.text());
+        done();
+    });
+</script>

Userland/Libraries/LibWeb/Fetch/BodyInit.cpp

@@ -105,8 +105,8 @@ WebIDL::ExceptionOr<Infrastructure::BodyWithType> extract_body(JS::Realm& realm,
         },
         [&](JS::Handle<DOMURL::URLSearchParams> const& url_search_params) -> WebIDL::ExceptionOr<void> {
             // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list.
-            auto search_params_bytes = TRY(url_search_params->to_string()).bytes();
-            source = TRY_OR_THROW_OOM(vm, ByteBuffer::copy(search_params_bytes));
+            auto search_params_string = TRY(url_search_params->to_string());
+            source = TRY_OR_THROW_OOM(vm, ByteBuffer::copy(search_params_string.bytes()));
             // Set type to `application/x-www-form-urlencoded;charset=UTF-8`.
             type = TRY_OR_THROW_OOM(vm, ByteBuffer::copy("application/x-www-form-urlencoded;charset=UTF-8"sv.bytes()));
             return {};