paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-08-26 01:16:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
* Security: prevent XSS with storage path template rendering

* Security: prevent XSS svg uploads

* Security: force attachment disposition for logo

* Add suggestions from code review

* Improve SVG validation with allowlist for tags and attributes
This commit is contained in:
shamoon
2025-08-16 07:34:00 -07:00
committed by GitHub
parent 42bdbc1b2d
commit b1c406680f
9 changed files with 179 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/documents/views.py
View File

@@ -13,6 +13,7 @@ from urllib.parse import quote
from urllib.parse import urlparse
import httpx
import magic
import pathvalidate
from celery import states
from django.conf import settings
@@ -32,6 +33,7 @@ from django.db.models import When
from django.db.models.functions import Length
from django.db.models.functions import Lower
from django.db.models.manager import Manager
from django.http import FileResponse
from django.http import Http404
from django.http import HttpResponse
from django.http import HttpResponseBadRequest
@@ -173,6 +175,7 @@ from paperless import version
from paperless.celery import app as celery_app
from paperless.config import GeneralConfig
from paperless.db import GnuPG
from paperless.models import ApplicationConfiguration
from paperless.serialisers import GroupSerializer
from paperless.serialisers import UserSerializer
from paperless.views import StandardPagination
@@ -2946,3 +2949,27 @@ class TrashView(ListModelMixin, PassUserMixin):
doc_ids = [doc.id for doc in docs]
empty_trash(doc_ids=doc_ids)
return Response({"result": "OK", "doc_ids": doc_ids})
def serve_logo(request, filename):
"""
Serves the configured logo file with Content-Disposition: attachment.
Prevents inline execution of SVGs. See GHSA-6p53-hqqw-8j62
"""
logger.warning("Serving app logo...")
config = ApplicationConfiguration.objects.first()
app_logo = config.app_logo
logger.warning(f"Serving logo: {app_logo}")
if not app_logo:
raise Http404("No logo configured")
path = app_logo.path
content_type = magic.from_file(path, mime=True) or "application/octet-stream"
return FileResponse(
app_logo.open("rb"),
content_type=content_type,
filename=app_logo.name,
).as_attachment()