From 69b5d7c0e6041c6af8fb88657834d57143ddb111 Mon Sep 17 00:00:00 2001
From: Timothy Flynn <trflynn89@pm.me>
Date: Wed, 3 Apr 2024 15:54:22 -0400
Subject: [PATCH] LibWeb: Avoid UAF when encoding a fetch request body via
 URLSearchParams

---
 .../expected/fetch-request-url-search-params.txt |  1 +
 .../input/fetch-request-url-search-params.html   | 16 ++++++++++++++++
 Userland/Libraries/LibWeb/Fetch/BodyInit.cpp     |  4 ++--
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 Tests/LibWeb/Text/expected/fetch-request-url-search-params.txt
 create mode 100644 Tests/LibWeb/Text/input/fetch-request-url-search-params.html

diff --git a/Tests/LibWeb/Text/expected/fetch-request-url-search-params.txt b/Tests/LibWeb/Text/expected/fetch-request-url-search-params.txt
new file mode 100644
index 00000000000..5b4f52faeaf
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/fetch-request-url-search-params.txt
@@ -0,0 +1 @@
+username=buggie&password=hunter2
diff --git a/Tests/LibWeb/Text/input/fetch-request-url-search-params.html b/Tests/LibWeb/Text/input/fetch-request-url-search-params.html
new file mode 100644
index 00000000000..67503506239
--- /dev/null
+++ b/Tests/LibWeb/Text/input/fetch-request-url-search-params.html
@@ -0,0 +1,16 @@
+<script src="include.js"></script>
+<script type="text/javascript">
+    asyncTest(async done => {
+        const body = new URLSearchParams();
+        body.append("username", "buggie");
+        body.append("password", "hunter2");
+
+        const request = new Request("fetch-url-search-params.html", {
+            method: "POST",
+            body: body,
+        });
+
+        println(await request.text());
+        done();
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/Fetch/BodyInit.cpp b/Userland/Libraries/LibWeb/Fetch/BodyInit.cpp
index f9fb1acaac6..77cb4186ddd 100644
--- a/Userland/Libraries/LibWeb/Fetch/BodyInit.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/BodyInit.cpp
@@ -105,8 +105,8 @@ WebIDL::ExceptionOr<Infrastructure::BodyWithType> extract_body(JS::Realm& realm,
         },
         [&](JS::Handle<DOMURL::URLSearchParams> const& url_search_params) -> WebIDL::ExceptionOr<void> {
             // Set source to the result of running the application/x-www-form-urlencoded serializer with object’s list.
-            auto search_params_bytes = TRY(url_search_params->to_string()).bytes();
-            source = TRY_OR_THROW_OOM(vm, ByteBuffer::copy(search_params_bytes));
+            auto search_params_string = TRY(url_search_params->to_string());
+            source = TRY_OR_THROW_OOM(vm, ByteBuffer::copy(search_params_string.bytes()));
             // Set type to `application/x-www-form-urlencoded;charset=UTF-8`.
             type = TRY_OR_THROW_OOM(vm, ByteBuffer::copy("application/x-www-form-urlencoded;charset=UTF-8"sv.bytes()));
             return {};