Merge commit from fork

* Security: prevent XSS with storage path template rendering * Security: prevent XSS svg uploads * Security: force attachment disposition for logo * Add suggestions from code review * Improve SVG validation with allowlist for tags and attributes
2025-08-26 01:16:16 +00:00 · 2025-08-16 07:34:00 -07:00
parent 42bdbc1b2d
commit b1c406680f
9 changed files with 179 additions and 10 deletions
--- a/src/documents/tests/samples/malicious.svg
+++ b/src/documents/tests/samples/malicious.svg
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
+  <text x="10" y="20">Hello</text>
+  <script>alert('XSS')</script>
+</svg>
--- a/src/documents/tests/test_api_app_config.py
+++ b/src/documents/tests/test_api_app_config.py
@@ -149,6 +149,11 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
        THEN:
            - old app_logo file is deleted
        """
+        admin = User.objects.create_superuser(username="admin")
+        self.client.force_login(user=admin)
+        response = self.client.get("/logo/")
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
        with (Path(__file__).parent / "samples" / "simple.jpg").open("rb") as f:
            self.client.patch(
                f"{self.ENDPOINT}1/",
@@ -156,6 +161,12 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
                    "app_logo": f,
                },
            )
+
+        # Logo exists at /logo/simple.jpg
+        response = self.client.get("/logo/simple.jpg")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertIn("image/jpeg", response["Content-Type"])
+
        config = ApplicationConfiguration.objects.first()
        old_logo = config.app_logo
        self.assertTrue(Path(old_logo.path).exists())
@@ -168,6 +179,26 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
            )
        self.assertFalse(Path(old_logo.path).exists())

+    def test_api_rejects_malicious_svg_logo(self):
+        """
+        GIVEN:
+            - An SVG logo containing a <script> tag
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+        path = Path(__file__).parent / "samples" / "malicious.svg"
+        with path.open("rb") as f:
+            response = self.client.patch(
+                f"{self.ENDPOINT}1/",
+                {"app_logo": f},
+                format="multipart",
+            )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+
    def test_create_not_allowed(self):
        """
        GIVEN:
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -13,6 +13,7 @@ from urllib.parse import quote
 from urllib.parse import urlparse

 import httpx
+import magic
 import pathvalidate
 from celery import states
 from django.conf import settings
@@ -32,6 +33,7 @@ from django.db.models import When
 from django.db.models.functions import Length
 from django.db.models.functions import Lower
 from django.db.models.manager import Manager
+from django.http import FileResponse
 from django.http import Http404
 from django.http import HttpResponse
 from django.http import HttpResponseBadRequest
@@ -173,6 +175,7 @@ from paperless import version
 from paperless.celery import app as celery_app
 from paperless.config import GeneralConfig
 from paperless.db import GnuPG
+from paperless.models import ApplicationConfiguration
 from paperless.serialisers import GroupSerializer
 from paperless.serialisers import UserSerializer
 from paperless.views import StandardPagination
@@ -2946,3 +2949,27 @@ class TrashView(ListModelMixin, PassUserMixin):
                doc_ids = [doc.id for doc in docs]
            empty_trash(doc_ids=doc_ids)
        return Response({"result": "OK", "doc_ids": doc_ids})
+
+
+def serve_logo(request, filename):
+    """
+    Serves the configured logo file with Content-Disposition: attachment.
+    Prevents inline execution of SVGs. See GHSA-6p53-hqqw-8j62
+    """
+    logger.warning("Serving app logo...")
+    config = ApplicationConfiguration.objects.first()
+    app_logo = config.app_logo
+
+    logger.warning(f"Serving logo: {app_logo}")
+
+    if not app_logo:
+        raise Http404("No logo configured")
+
+    path = app_logo.path
+    content_type = magic.from_file(path, mime=True) or "application/octet-stream"
+
+    return FileResponse(
+        app_logo.open("rb"),
+        content_type=content_type,
+        filename=app_logo.name,
+    ).as_attachment()