From b38bf3e606dea68f257e6346541a424b33f5fc65 Mon Sep 17 00:00:00 2001
From: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Date: Fri, 26 Sep 2025 20:33:56 +0200
Subject: [PATCH] Avoid crash when non-trusted-script object is passed into
 Function constructor (#39451)

It is possible to pass in objects that are not trusted scripts into the
Function constructor. Rather than crashing, we now treat these as
untrusted. `can_compile_string_with_trusted_type` doesn't need to know
the contents of a string, as it always marks it as untrusted.

We can make the same optimization in the string case, where we no longer
need to convert the string.

Testing: This change adds a WPT crash test.
Fixes #39436

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
---
 components/script/script_runtime.rs           | 11 ++++++----
 tests/wpt/meta/MANIFEST.json                  |  7 +++++++
 .../eval-with-non-trusted-script-object.html  | 20 +++++++++++++++++++
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 tests/wpt/tests/trusted-types/eval-with-non-trusted-script-object.html

diff --git a/components/script/script_runtime.rs b/components/script/script_runtime.rs
index 8d1638dea5f..a1d7c2929db 100644
--- a/components/script/script_runtime.rs
+++ b/components/script/script_runtime.rs
@@ -552,13 +552,16 @@ unsafe extern "C" fn content_security_policy_allows(
                                 parameter_args_vec
                                     .push(TrustedScriptOrString::TrustedScript(trusted_script));
                             } else {
-                                unreachable!();
+                                // It's not a trusted script but a different object. Treat it
+                                // as if it is a string, since we don't need the actual contents
+                                // of the object.
+                                parameter_args_vec
+                                    .push(TrustedScriptOrString::String(DOMString::new()));
                             }
                         } else if value.is_string() {
-                            let string_ptr = std::ptr::NonNull::new(value.to_string()).unwrap();
-                            let dom_string = unsafe { jsstr_to_string(*cx, string_ptr) };
+                            // We don't need to know the specific string, only that it is untrusted
                             parameter_args_vec
-                                .push(TrustedScriptOrString::String(dom_string.into()));
+                                .push(TrustedScriptOrString::String(DOMString::new()));
                         } else {
                             unreachable!();
                         }
diff --git a/tests/wpt/meta/MANIFEST.json b/tests/wpt/meta/MANIFEST.json
index 7c10d47ac30..3a22bd324ad 100644
--- a/tests/wpt/meta/MANIFEST.json
+++ b/tests/wpt/meta/MANIFEST.json
@@ -836283,6 +836283,13 @@
       {}
      ]
     ],
+    "eval-with-non-trusted-script-object.html": [
+     "455e2620afc496b438e3a221451f260097146349",
+     [
+      null,
+      {}
+     ]
+    ],
     "eval-with-permissive-csp.html": [
      "b3dc352017675a2634aa96ac1fdea01b55ce9243",
      [
diff --git a/tests/wpt/tests/trusted-types/eval-with-non-trusted-script-object.html b/tests/wpt/tests/trusted-types/eval-with-non-trusted-script-object.html
new file mode 100644
index 00000000000..455e2620afc
--- /dev/null
+++ b/tests/wpt/tests/trusted-types/eval-with-non-trusted-script-object.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script nonce="abc" src="/resources/testharness.js"></script>
+  <script nonce="abc" src="/resources/testharnessreport.js"></script>
+  <script nonce="abc" src="support/helper.sub.js"></script>
+
+  <!-- Note: Trusted Types enforcement, and a CSP that does not blanket-allow eval. -->
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; require-trusted-types-for 'script'">
+</head>
+<body>
+<script nonce="abc">
+  const p = createScript_policy(window, 1);
+  test(t => {
+    assert_throws_js(EvalError, _ => {
+      // Without Trusted Types enforcement, this would return 47
+      new Function({toString() { return "a"; }}, "return a + 42")(5);
+    });
+  }, "Function constructor of stringified object and TrustedScript fails.");
+</script>