✅ [open-formulieren/security-issues#35] Testing svg sanitizer

robinmolen · robinmolen · commit 16355a96c22c · 2025-02-26T11:32:52.000+01:00
diff --git a/src/openforms/config/tests/test_global_configuration.py b/src/openforms/config/tests/test_global_configuration.py
@@ -12,7 +12,7 @@
 import clamd
 from django_webtest import WebTest
 from maykin_2fa.test import disable_admin_mfa
-from webtest import Form as WebTestForm
+from webtest import Form as WebTestForm, Upload
 
 from openforms.accounts.tests.factories import SuperUserFactory
 from openforms.tests.utils import NOOP_CACHES
@@ -165,6 +165,56 @@ def test_virus_scan_enabled_cant_connect(self):
             "Cannot connect to ClamAV: Cannot connect!",
         )
 
+    @override_settings(LANGUAGE_CODE="en")
+    def test_svg_sanitation_favicon(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" onclick="alert(\'forget about me?\')" />'
+            "<script>//<![CDATA["
+            'alert("I am malicious >:)")'
+            "//]]></script>"
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert(\'click!\')" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "//"
+            'alert("I am malicious &gt;:)")'
+            "//"
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        config = GlobalConfiguration.get_solo()
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_globalconfiguration_change", args=(1,))
+            change_page = self.app.get(url)
+
+            upload = Upload(
+                "bad_svg.svg", bad_svg_content.encode("utf-8"), "image/svg+xml"
+            )
+
+            form = change_page.forms["globalconfiguration_form"]
+            form["favicon"] = upload
+            _ensure_arrayfields(form, config=config)
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            config.refresh_from_db()
+            self.assertEqual(config.favicon, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert favicon sanitized"):
+            with config.favicon.file.open("rb") as favicon_file:
+                # Assert that the logo is completely sanitized
+                decoded_logo = favicon_file.read().decode("utf-8")
+                self.assertEqual(decoded_logo, sanitized_svg_content)
+
 
 class GlobalConfirmationEmailTests(TestCase):
     def setUp(self):
diff --git a/src/openforms/config/tests/test_theme.py b/src/openforms/config/tests/test_theme.py
@@ -77,6 +77,54 @@ def test_upload_svg(self):
                 style_tag.text(),
             )
 
+    def test_upload_malicious_svg(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" onclick="alert(\'forget about me?\')" />'
+            "<script>//<![CDATA["
+            'alert("I am malicious >:)")'
+            "//]]></script>"
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert(\'click!\')" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "//"
+            'alert("I am malicious &gt;:)")'
+            "//"
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+        theme = ThemeFactory.create()
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_theme_change", args=(theme.pk,))
+
+            change_page = self.app.get(url)
+
+            upload = Upload(
+                "bad_svg.svg", bad_svg_content.encode("utf-8"), "image/svg+xml"
+            )
+
+            form = change_page.forms["theme_form"]
+            form["logo"] = upload
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            theme.refresh_from_db()
+            self.assertEqual(theme.logo, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert logo sanitized"):
+            with theme.logo.file.open("rb") as logo_file:
+                # Assert that the logo is completely sanitized
+                decoded_logo = logo_file.read().decode("utf-8")
+                self.assertEqual(decoded_logo, sanitized_svg_content)
+
     def test_upload_png(self):
         logo = Path(settings.DJANGO_PROJECT_DIR) / "static" / "img" / "digid.png"
         theme = ThemeFactory.create()
diff --git a/src/openforms/utils/tests/test_sanitizer.py b/src/openforms/utils/tests/test_sanitizer.py
@@ -0,0 +1,92 @@
+import tempfile
+
+from django.test import TestCase
+
+from ..sanitizer import sanitize_svg_content, sanitize_svg_file
+
+
+class SanitizeSvgFileTests(TestCase):
+    def test_sanitize_svg_content_removes_script_tags(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" />'
+            "<script>//<![CDATA["
+            'alert("I am malicious >:)")'
+            "//]]></script>"
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "//"
+            'alert("I am malicious &gt;:)")'
+            "//"
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        with tempfile.TemporaryFile() as temp_file:
+            temp_file.write(bad_svg_content.encode("utf-8"))
+
+            # Assert that sanitize_svg_content removed the script tag
+            sanitized_svg_file = sanitize_svg_file(temp_file)
+            self.assertEqual(
+                sanitized_svg_file.read().decode("utf-8"), sanitized_svg_content
+            )
+
+
+class SanitizeSvgContentTests(TestCase):
+    def test_sanitize_svg_content_removes_script_tags(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" />'
+            "<script>//<![CDATA["
+            'alert("I am malicious >:)")'
+            "//]]></script>"
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "//"
+            'alert("I am malicious &gt;:)")'
+            "//"
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        # Assert that sanitize_svg_content removed the script tag
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)
+
+    def test_sanitize_svg_content_removes_event_handlers(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" onclick="alert(\'forget about me?\')" />'
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert(\'click!\')" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        # Assert that sanitize_svg_content removed the event handlers
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)
