Sanatize SVG files when uploading

2025-07-13 03:44:36 +02:00 · 2025-05-18 21:00:19 +02:00 · 2025-05-18 21:00:19 +02:00 · 2c4f44e808
commit 2c4f44e808
parent 2b694731ad
4 changed files with 137 additions and 2 deletions
--- a/src/Services/Attachments/AttachmentSubmitHandler.php
+++ b/src/Services/Attachments/AttachmentSubmitHandler.php
@ -65,7 +65,7 @@ class AttachmentSubmitHandler
        'htpasswd', ''];

    public function __construct(protected AttachmentPathResolver $pathResolver, protected bool $allow_attachments_downloads,
-        protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes,
+        protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes, protected readonly SVGSanitizer $SVGSanitizer,
        protected FileTypeFilterTools $filterTools, /**
         * @var string The user configured maximum upload size. This is a string like "10M" or "1G" and will be converted to
         */
@ -214,6 +214,9 @@ class AttachmentSubmitHandler
        //Move the attachment files to secure location (and back) if needed
        $this->moveFile($attachment, $secure_attachment);

+        //Sanitize the SVG if needed
+        $this->sanitizeSVGFiles($attachment);
+
        //Rename blacklisted (unsecure) files to a better extension
        $this->renameBlacklistedExtensions($attachment);

@ -498,4 +501,32 @@ class AttachmentSubmitHandler

        return $this->max_upload_size_bytes;
    }
+
+    /**
+     * Sanatizes the given SVG file, if the attachment is an internal SVG file.
+     * @param  Attachment  $attachment
+     * @return Attachment
+     */
+    protected function sanitizeSVGFiles(Attachment $attachment): Attachment
+    {
+        //We can not do anything on builtins or external ressources
+        if ($attachment->isBuiltIn() || !$attachment->hasInternal()) {
+            return $attachment;
+        }
+
+        //Resolve the path to the file
+        $path = $this->pathResolver->placeholderToRealPath($attachment->getInternalPath());
+
+        //Check if the file exists
+        if (!file_exists($path)) {
+            return $attachment;
+        }
+
+        //Check if the file is an SVG
+        if ($attachment->getExtension() === "svg") {
+            $this->SVGSanitizer->sanitizeFile($path);
+        }
+
+        return $attachment;
+    }
 }