Fix: Expanded SVG validation whitelist and additional checks (#11590)

2025-12-20 01:45:58 -06:00 · 2025-12-12 12:04:04 -08:00
parent a1026f03db
commit d9a596d67a
4 changed files with 516 additions and 86 deletions
--- a/src/documents/tests/samples/malicious.svg
+++ b/src/documents/tests/samples/malicious.svg
@@ -1,4 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
-  <text x="10" y="20">Hello</text>
-  <script>alert('XSS')</script>
-</svg>
--- a/src/documents/tests/test_api_app_config.py
+++ b/src/documents/tests/test_api_app_config.py
@@ -1,4 +1,5 @@
 import json
+from io import BytesIO
 from pathlib import Path

 from django.contrib.auth.models import User
@@ -199,17 +200,337 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
        THEN:
            - SVG is rejected with 400
        """
-        path = Path(__file__).parent / "samples" / "malicious.svg"
-        with path.open("rb") as f:
-            response = self.client.patch(
-                f"{self.ENDPOINT}1/",
-                {"app_logo": f},
-                format="multipart",
-            )
+        malicious_svg = b"""<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
+                            <text x="10" y="20">Hello</text>
+                            <script>alert('XSS')</script>
+                            </svg>
+                        """
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "malicious_script.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )

+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed svg tag", str(response.data).lower())
+
+    def test_api_rejects_malicious_svg_with_style_javascript(self):
+        """
+        GIVEN:
+            - An SVG logo containing javascript: in style attribute
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <rect width="100" height="100" style="background: url(javascript:alert('XSS'));" fill="red"/>
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "malicious_style.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn(
+            "disallowed pattern in style attribute",
+            str(response.data).lower(),
+        )
+        self.assertIn("style", str(response.data).lower())
+
+    def test_api_rejects_svg_with_style_expression(self):
+        """
+        GIVEN:
+            - An SVG logo containing CSS expression() in style
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <rect width="100" height="100" style="width: expression(alert('XSS'));" fill="blue"/>
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "expression_style.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
        self.assertIn("disallowed", str(response.data).lower())

+    def test_api_rejects_svg_with_style_import(self):
+        """
+        GIVEN:
+            - An SVG logo containing @import in style
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <rect width="100" height="100" style="@import url('http://evil.com/malicious.css');" fill="green"/>
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "import_style.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+
+    def test_api_accepts_valid_svg_with_safe_style(self):
+        """
+        GIVEN:
+            - A valid SVG logo with safe style attributes
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is accepted with 200
+        """
+
+        safe_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <rect width="100" height="100" style="fill: #ff6b6b; stroke: #333; stroke-width: 2;"/>
+        <circle cx="50" cy="50" r="30" style="fill: white; opacity: 0.8;"/>
+    </svg>"""
+
+        svg_file = BytesIO(safe_svg)
+        svg_file.name = "safe_logo.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_api_rejects_svg_with_disallowed_attribute(self):
+        """
+        GIVEN:
+            - An SVG with a disallowed attribute (onclick)
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <rect width="100" height="100" fill="red" onclick="alert('XSS')"/>
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "onclick_attribute.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+        self.assertIn("attribute", str(response.data).lower())
+
+    def test_api_rejects_svg_with_disallowed_tag(self):
+        """
+        GIVEN:
+            - An SVG with a disallowed tag (script)
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <script>alert('XSS')</script>
+        <rect width="100" height="100" fill="blue"/>
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "script_tag.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+        self.assertIn("tag", str(response.data).lower())
+
+    def test_api_rejects_svg_with_javascript_href(self):
+        """
+        GIVEN:
+            - An SVG with javascript: in href attribute
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <defs>
+            <rect id="a" width="10" height="10" />
+        </defs>
+        <use href="javascript:alert('XSS')" />
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "javascript_href.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+        self.assertIn("javascript", str(response.data).lower())
+
+    def test_api_rejects_svg_with_javascript_xlink_href(self):
+        """
+        GIVEN:
+            - An SVG with javascript: in xlink:href attribute
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
+        <use xlink:href="javascript:alert('XSS')" />
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "javascript_xlink_href.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("disallowed", str(response.data).lower())
+        self.assertIn("javascript", str(response.data).lower())
+
+    def test_api_rejects_svg_with_data_text_html_href(self):
+        """
+        GIVEN:
+            - An SVG with data:text/html in href attribute
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+        """
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+            <defs>
+                <rect id="r" width="100" height="100" fill="purple"/>
+            </defs>
+            <use href="javascript:alert(1)" />
+        </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "data_html_href.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        # This will now catch "Disallowed URI scheme"
+        self.assertIn("disallowed", str(response.data).lower())
+
+    def test_api_rejects_svg_with_unknown_namespace_attribute(self):
+        """
+        GIVEN:
+            - An SVG with an attribute in an unknown/custom namespace
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400
+            - Error message identifies the namespaced attribute as disallowed
+        """
+
+        # Define a custom namespace "my:hack" and try to use it
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg"
+         xmlns:hack="http://example.com/hack"
+         viewBox="0 0 100 100">
+        <rect width="100" height="100" hack:fill="red" />
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "unknown_namespace.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # The error message should show the full Clark notation (curly braces)
+        # because the validator's 'else' block kept the raw lxml name.
+        error_msg = str(response.data).lower()
+        self.assertIn("disallowed svg attribute", error_msg)
+        self.assertIn("{http://example.com/hack}fill", error_msg)
+
+    def test_api_rejects_svg_with_external_http_href(self) -> None:
+        """
+        GIVEN:
+            - An SVG with an external URI (http://) in a safe tag's href attribute.
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - SVG is rejected with 400 because http:// is not a safe_prefix.
+        """
+        from io import BytesIO
+
+        # http:// is not in dangerous_schemes, but it is not in safe_prefixes.
+        malicious_svg = b"""<?xml version="1.0" encoding="UTF-8"?>
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+        <use href="http://evil.com/logo.svg" />
+    </svg>"""
+
+        svg_file = BytesIO(malicious_svg)
+        svg_file.name = "external_http_href.svg"
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {"app_logo": svg_file},
+            format="multipart",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Check for the error message raised by the safe_prefixes check
+        self.assertIn("uri scheme not allowed", str(response.data).lower())
+
    def test_create_not_allowed(self):
        """
        GIVEN: