Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[4.x] Sanitize SVG uploads #9365

Merged
merged 5 commits into from
Jan 19, 2024
Merged

[4.x] Sanitize SVG uploads #9365

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bd4e102
Sanitize SVG uploads
duncanmcclean Jan 19, 2024
fee82cd
Fix failing test
duncanmcclean Jan 19, 2024
dfa2855
Add test.
duncanmcclean Jan 19, 2024
4b3dbb4
nitpick
jasonvarga Jan 19, 2024
9c88e53
leave xml alone like we do in the tag
jasonvarga Jan 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/Assets/Uploader.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@
namespace Statamic\Assets;

use Facades\Statamic\Imaging\ImageValidator;
use Rhukster\DomSanitizer\DOMSanitizer;
use Statamic\Facades\Glide;
use Statamic\Support\Str;
use Symfony\Component\HttpFoundation\File\UploadedFile;

abstract class Uploader
Expand Down Expand Up @@ -50,6 +52,13 @@ private function write($sourcePath, $destinationPath)
{
$stream = fopen($sourcePath, 'r');

if (Str::endsWith($destinationPath, '.svg')) {
$sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
$stream = $sanitizer->sanitize($svg = stream_get_contents($stream), [
'remove-xml-tags' => ! Str::startsWith($svg, '<?xml'),
]);
}

$this->disk()->put($this->uploadPathPrefix().$destinationPath, $stream);

if (is_resource($stream)) {
Expand Down
24 changes: 23 additions & 1 deletion tests/Assets/AssetTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1729,6 +1729,28 @@ public function it_can_upload_an_image_into_a_container_with_new_extension_forma
Event::assertDispatched(AssetSaved::class);
}

/** @test */
public function it_sanitizes_svgs_on_upload()
{
Event::fake();

$asset = (new Asset)->container($this->container)->path('path/to/asset.svg')->syncOriginal();

Facades\AssetContainer::shouldReceive('findByHandle')->with('test_container')->andReturn($this->container);
Storage::disk('test')->assertMissing('path/to/asset.svg');

$return = $asset->upload(UploadedFile::fake()->createWithContent('asset.svg', '<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" width="500" height="500"><script type="text/javascript">alert(`Bad stuff could go in here.`);</script></svg>'));

$this->assertEquals($asset, $return);
Storage::disk('test')->assertExists('path/to/asset.svg');
$this->assertEquals('path/to/asset.svg', $asset->path());

// Ensure the inline scripts were stripped out.
$this->assertStringNotContainsString('<script', $asset->contents());
$this->assertStringNotContainsString('Bad stuff could go in here.', $asset->contents());
$this->assertStringNotContainsString('</script>', $asset->contents());
}

public function nonGlideableFileExtensions()
{
return [
Expand Down Expand Up @@ -1763,7 +1785,7 @@ public function it_doesnt_process_or_error_when_uploading_non_glideable_file_wit
// Ensure a glide server is never instantiated for these extensions...
Facades\Glide::partialMock()->shouldReceive('server')->never();

$return = $asset->upload(UploadedFile::fake()->create("file.{$extension}"));
$return = $asset->upload(UploadedFile::fake()->createWithContent("file.{$extension}", '<svg width="20" height="30"></svg>'));

$this->assertEquals($asset, $return);
$this->assertDirectoryExists($glideDir = storage_path('statamic/glide/tmp'));
Expand Down
Loading