Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize uploaded SVG files #6687

Merged
merged 10 commits into from
May 21, 2024
Merged

Sanitize uploaded SVG files #6687

merged 10 commits into from
May 21, 2024

Conversation

asteriscos
Copy link
Member

@asteriscos asteriscos commented May 17, 2024
edited
Loading

Description

This pull request adds sanitization to uploaded SVG custom branding files.

Evidence

image

image

Test

Upload file

  • Go to Settings / Configuration
  • Upload the provided test SVG file
  • Verify the script embedded is removed

Sanitize previously uploaded files

  • Save the sample SVG file into the custom branding images folder
  • Initialize the app
  • Verify the script has been removed
Sample SVG file

customization.logo.app.svg

<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
	 width="100px" height="100px" viewBox="0 0 100 100" style="enable-background:new 0 0 100 100;" xml:space="preserve">

  <circle cx="50" cy="50" r="45" fill="green" id="foo" o="foo"/>

  <script>alert(document.domain);</script>

</svg>

Check List

  • All tests pass
    • yarn test:jest
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@asteriscos asteriscos self-assigned this May 17, 2024
@asteriscos asteriscos marked this pull request as ready for review May 19, 2024 15:18
@Tostti
Copy link
Member

Tostti commented May 21, 2024

Test

  • Upload file 🟢
  • Sanitize previously uploaded files 🟢

@jbiset jbiset self-requested a review May 21, 2024 19:07
jbiset
jbiset approved these changes May 21, 2024
View reviewed changes
Copy link
Member

@jbiset jbiset left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CR: 🟢

Test: 🟢

Upload file 🟢

  • Go to Settings / Configuration
  • Upload the provided test SVG file
  • Verify the script embedded is removed
Evidence

1-config_logo_screen

2-configured_logo_screen

2-sanitized_logo

Sanitize previously uploaded files 🟢

  • Save the sample SVG file into the custom branding images folder
  • Initialize the app
  • Verify the script has been removed
Evidence

3-changed_assets_logo

4-app_restarted

5-sanitized_logo_after_app_rea

Machi3mfl
Machi3mfl approved these changes May 21, 2024
View reviewed changes
Copy link
Member

@Machi3mfl Machi3mfl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CR: ✅
Test: ✅

Removes script tag from svg file when is uploaded via UI

Screen.Recording.2024-05-21.at.15.49.05.mov

Adding script tag inside svg file when the file is already uploaded

The svg file is cleaned after execute the cron job

Screen.Recording.2024-05-21.at.15.49.45.mov
Screen.Recording.2024-05-21.at.15.51.24.mov

@asteriscos asteriscos merged commit 9dbad61 into 4.7.5 May 21, 2024
1 check passed
@asteriscos asteriscos deleted the fix/sanitize-uploaded-SVG-files-2144 branch May 21, 2024 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Desvelao Desvelao Desvelao left review comments

@jbiset jbiset jbiset approved these changes

@Machi3mfl Machi3mfl Machi3mfl approved these changes

Assignees

@asteriscos asteriscos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@asteriscos @Tostti @Machi3mfl @Desvelao @jbiset