mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Sanatize SVG files when uploading

Browse source
This commit is contained in:
Jan Böhmer 2025-05-18 21:00:19 +02:00
parent 2b694731ad
commit 2c4f44e808
4 changed files with 137 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
composer.json
View file

@ -43,6 +43,7 @@
"omines/datatables-bundle": "^0.9.1", "omines/datatables-bundle": "^0.9.1",
"paragonie/sodium_compat": "^1.21", "paragonie/sodium_compat": "^1.21",
"part-db/label-fonts": "^1.0", "part-db/label-fonts": "^1.0",
"rhukster/dom-sanitizer": "^1.0",
"runtime/frankenphp-symfony": "^0.2.0", "runtime/frankenphp-symfony": "^0.2.0",
"s9e/text-formatter": "^2.1", "s9e/text-formatter": "^2.1",
"scheb/2fa-backup-code": "^6.8.0", "scheb/2fa-backup-code": "^6.8.0",

47
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "7fb73581b0074c5a79afb3ffa614ed8e", "content-hash": "27cd0d915eab5e7cb57215a4c0b529fb",
"packages": [ "packages": [
{ {
"name": "amphp/amp", "name": "amphp/amp",
@ -7125,6 +7125,51 @@
}, },
"time": "2025-01-25T19:27:39+00:00" "time": "2025-01-25T19:27:39+00:00"
}, },
{
"name": "rhukster/dom-sanitizer",
"version": "1.0.7",
"source": {
"type": "git",
"url": "https://github.com/rhukster/dom-sanitizer.git",
"reference": "c2a98f27ad742668b254282ccc5581871d0fb601"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/rhukster/dom-sanitizer/zipball/c2a98f27ad742668b254282ccc5581871d0fb601",
"reference": "c2a98f27ad742668b254282ccc5581871d0fb601",
"shasum": ""
},
"require": {
"ext-dom": "*",
"ext-libxml": "*",
"php": ">=7.3"
},
"require-dev": {
"phpunit/phpunit": "^9"
},
"type": "library",
"autoload": {
"psr-4": {
"Rhukster\\DomSanitizer\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Andy Miller",
"email": "rhuk@rhuk.net"
}
],
"description": "A simple but effective DOM/SVG/MathML Sanitizer for PHP 7.4+",
"support": {
"issues": "https://github.com/rhukster/dom-sanitizer/issues",
"source": "https://github.com/rhukster/dom-sanitizer/tree/1.0.7"
},
"time": "2023-11-06T16:46:48+00:00"
},
{ {
"name": "robrichards/xmlseclibs", "name": "robrichards/xmlseclibs",
"version": "3.1.3", "version": "3.1.3",

33
src/Services/Attachments/AttachmentSubmitHandler.php
View file

@ -65,7 +65,7 @@ class AttachmentSubmitHandler
'htpasswd', '']; 'htpasswd', ''];
public function __construct(protected AttachmentPathResolver $pathResolver, protected bool $allow_attachments_downloads, public function __construct(protected AttachmentPathResolver $pathResolver, protected bool $allow_attachments_downloads,
protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes, protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes, protected readonly SVGSanitizer $SVGSanitizer,
protected FileTypeFilterTools $filterTools, /** protected FileTypeFilterTools $filterTools, /**
* @var string The user configured maximum upload size. This is a string like "10M" or "1G" and will be converted to * @var string The user configured maximum upload size. This is a string like "10M" or "1G" and will be converted to
*/ */
@ -214,6 +214,9 @@ class AttachmentSubmitHandler
//Move the attachment files to secure location (and back) if needed //Move the attachment files to secure location (and back) if needed
$this->moveFile($attachment, $secure_attachment); $this->moveFile($attachment, $secure_attachment);
//Sanitize the SVG if needed
$this->sanitizeSVGFiles($attachment);
//Rename blacklisted (unsecure) files to a better extension //Rename blacklisted (unsecure) files to a better extension
$this->renameBlacklistedExtensions($attachment); $this->renameBlacklistedExtensions($attachment);
@ -498,4 +501,32 @@ class AttachmentSubmitHandler
return $this->max_upload_size_bytes; return $this->max_upload_size_bytes;
} }
/**
* Sanatizes the given SVG file, if the attachment is an internal SVG file.
* @param Attachment $attachment
* @return Attachment
*/
protected function sanitizeSVGFiles(Attachment $attachment): Attachment
{
//We can not do anything on builtins or external ressources
if ($attachment->isBuiltIn() || !$attachment->hasInternal()) {
return $attachment;
}
//Resolve the path to the file
$path = $this->pathResolver->placeholderToRealPath($attachment->getInternalPath());
//Check if the file exists
if (!file_exists($path)) {
return $attachment;
}
//Check if the file is an SVG
if ($attachment->getExtension() === "svg") {
$this->SVGSanitizer->sanitizeFile($path);
}
return $attachment;
}
} }

58
src/Services/Attachments/SVGSanitizer.php Normal file
View file

@ -0,0 +1,58 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2025 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
namespace App\Services\Attachments;
use Rhukster\DomSanitizer\DOMSanitizer;
class SVGSanitizer
{
/**
* Sanitizes the given SVG string by removing any potentially harmful content (like inline scripts).
* @param string $input
* @return string
*/
public function sanitizeString(string $input): string
{
return (new DOMSanitizer(DOMSanitizer::SVG))->sanitize($input);
}
/**
* Sanitizes the given SVG file by removing any potentially harmful content (like inline scripts).
* The sanitized content is written back to the file.
* @param string $filepath
*/
public function sanitizeFile(string $filepath): void
{
//Open the file and read the content
$content = file_get_contents($filepath);
if ($content === false) {
throw new \RuntimeException('Could not read file: ' . $filepath);
}
//Sanitize the content
$sanitizedContent = $this->sanitizeString($content);
//Write the sanitized content back to the file
file_put_contents($filepath, $sanitizedContent);
}
}