From 0ab3ba5f0de115463e90df36b8a006502c0e3d5e Mon Sep 17 00:00:00 2001
From: Penar Musaraj <pmusaraj@gmail.com>
Date: Tue, 11 Apr 2023 14:10:44 -0400
Subject: [PATCH] SECURITY: strip `xlink:href` from uploaded SVGs (#21057)

This was inadvertently removed in 4c46c7e. In very specific scenarios,
this could be used execute arbitrary JavaScript.

Only affects instances where SVGs are allowed as uploads and CDN is not
configured.
---
 lib/upload_creator.rb           | 1 +
 spec/lib/upload_creator_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index 0933264061d..19b348b8df1 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -497,6 +497,7 @@ class UploadCreator
         if use_el.attr("href")
           use_el.remove_attribute("href") unless use_el.attr("href").starts_with?("#")
         end
+        use_el.remove_attribute("xlink:href")
       end
     File.write(@file.path, doc.to_s)
     @file.rewind
diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index 7965a5f6dbb..cdc20d28603 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -613,7 +613,7 @@ RSpec.describe UploadCreator do
           <g>
             <use id="valid-use" x="123" href="#pathdef" />
           </g>
-          <use id="invalid-use1" href="https://svg.example.com/evil.svg" />
+          <use id="invalid-use1" xlink:href="https://svg.example.com/evil.svg" />
           <use id="invalid-use2" href="data:image/svg+xml;base64,#{b64}" />
         </svg>
       XML