SECURITY: Remove event handlers from SVG files

2024-11-22 09:42:02 +08:00 · 2019-12-11 16:28:35 +02:00 · 2019-12-11 16:28:35 +02:00 · 4e130f1e03
commit 4e130f1e03
parent adfa793731
2 changed files with 23 additions and 0 deletions
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@ -277,6 +277,7 @@ class UploadCreator
  def whitelist_svg!
    doc = Nokogiri::XML(@file)
    doc.xpath(svg_whitelist_xpath).remove
+    doc.xpath("//@*[starts-with(name(), 'on')]").remove
    File.write(@file.path, doc.to_s)
    @file.rewind
  end
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@ -247,4 +247,26 @@ RSpec.describe UploadCreator do
      end
    end
  end
+
+  describe '#whitelist_svg!' do
+    let(:file) do
+      file = Tempfile.new
+      file.write(<<~XML)
+        <?xml version="1.0" encoding="UTF-8"?>
+        <svg xmlns="http://www.w3.org/2000/svg" width="200px" height="200px" onload="alert(location)">
+        </svg>
+      XML
+      file.rewind
+      file
+    end
+
+    it 'removes event handlers' do
+      begin
+        UploadCreator.new(file, 'file.svg').whitelist_svg!
+        expect(file.read).not_to include('onload')
+      ensure
+        file.unlink
+      end
+    end
+  end
 end