✅ [open-formulieren/security-issues#35] Testing svg sanitizer

Author: robinmolen

src/openforms/config/tests/data/bad_svg.svg

@@ -1,6 +1,7 @@
 import json
 import shutil
 import tempfile
+from pathlib import Path
 from unittest.mock import patch
 
 from django.conf import settings
@@ -12,14 +13,17 @@
 import clamd
 from django_webtest import WebTest
 from maykin_2fa.test import disable_admin_mfa
-from webtest import Form as WebTestForm
+from webtest import Form as WebTestForm, Upload
 
 from openforms.accounts.tests.factories import SuperUserFactory
 from openforms.tests.utils import NOOP_CACHES
 
 from ..models import GlobalConfiguration
 
 
+PATH = Path(__file__).parent
+
+
 def _ensure_arrayfields(form: WebTestForm, config: GlobalConfiguration | None = None):
     if config is None:
         config = GlobalConfiguration.get_solo()  # type: ignore
@@ -165,6 +169,45 @@ def test_virus_scan_enabled_cant_connect(self):
             "Cannot connect to ClamAV: Cannot connect!",
         )
 
+    @override_settings(LANGUAGE_CODE="en")
+    def test_svg_sanitation_favicon(self):
+        config = GlobalConfiguration.get_solo()
+        bad_svg = PATH / "data" / "bad_svg.svg"
+        sanitized_svg = PATH / "data" / "sanitized_svg.svg"
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_globalconfiguration_change", args=(1,))
+
+            change_page = self.app.get(url)
+
+            with open(bad_svg, "rb") as bad_file:
+                # Assert that the bad svg contains script tags, which aren't allowed
+                decoded_svg = bad_file.read().decode("utf-8")
+                self.assertIn("<script", decoded_svg)
+                bad_file.seek(0)
+
+                upload = Upload("bad_svg.svg", bad_file.read(), "image/svg+xml")
+
+            form = change_page.forms["globalconfiguration_form"]
+            form["favicon"] = upload
+            _ensure_arrayfields(form, config=config)
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            config.refresh_from_db()
+            self.assertEqual(config.favicon, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert favicon sanitized"):
+            with config.favicon.file.open("rb") as favicon_file:
+                # Assert that the logo has been sanitized and doesn't contain script tags
+                decoded_logo = favicon_file.read().decode("utf-8")
+                self.assertNotIn("<script", decoded_logo)
+                favicon_file.seek(0)
+
+                # Assert that the logo is completely sanitized
+                with open(sanitized_svg, "rb") as sanitized_file:
+                    self.assertEqual(sanitized_file.read(), favicon_file.read())
+
 
 class GlobalConfirmationEmailTests(TestCase):
     def setUp(self):

src/openforms/config/tests/data/sanitized_svg.svg

@@ -16,6 +16,7 @@
 from .factories import ThemeFactory
 
 LOGO_FILE = Path(settings.BASE_DIR) / "docs" / "logo.svg"
+PATH = Path(__file__).parent
 
 
 @disable_admin_mfa()
@@ -77,6 +78,43 @@ def test_upload_svg(self):
                 style_tag.text(),
             )
 
+    def test_upload_malicious_svg(self):
+        bad_svg = PATH / "data" / "bad_svg.svg"
+        sanitized_svg = PATH / "data" / "sanitized_svg.svg"
+        theme = ThemeFactory.create()
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_theme_change", args=(theme.pk,))
+
+            change_page = self.app.get(url)
+
+            with open(bad_svg, "rb") as bad_file:
+                # Assert that the bad svg contains script tags, which aren't allowed
+                decoded_svg = bad_file.read().decode("utf-8")
+                self.assertIn("<script", decoded_svg)
+                bad_file.seek(0)
+
+                upload = Upload("bad_svg.svg", bad_file.read(), "image/svg+xml")
+
+            form = change_page.forms["theme_form"]
+            form["logo"] = upload
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            theme.refresh_from_db()
+            self.assertEqual(theme.logo, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert logo sanitized"):
+            with theme.logo.file.open("rb") as logo_file:
+                # Assert that the logo has been sanitized and doesn't contain script tags
+                decoded_logo = logo_file.read().decode("utf-8")
+                self.assertNotIn("<script", decoded_logo)
+                logo_file.seek(0)
+
+                # Assert that the logo is completely sanitized
+                with open(sanitized_svg, "rb") as sanitized_file:
+                    self.assertEqual(sanitized_file.read(), logo_file.read())
+
     def test_upload_png(self):
         logo = Path(settings.DJANGO_PROJECT_DIR) / "static" / "img" / "digid.png"
         theme = ThemeFactory.create()

src/openforms/config/tests/test_global_configuration.py

@@ -0,0 +1,56 @@
+from django.test import TestCase
+
+from ..sanitizer import sanitize_svg_content
+
+
+class SanitizeSvgContentTests(TestCase):
+    def test_sanitize_svg_content_removes_script_tags(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" />'
+            "<script>//<![CDATA["
+            'alert("I am malicious >:)")'
+            "//]]></script>"
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "//"
+            'alert("I am malicious &gt;:)")'
+            "//"
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        # Assert that sanitize_svg_content removed the script tag
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)
+
+
+    def test_sanitize_svg_content_removes_event_handlers(self):
+        bad_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green" onclick="alert(\'forget about me?\')" />'
+            "<g>"
+            '<rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert(\'click!\')" />'
+            "</g>"
+            "</svg>"
+        )
+        sanitized_svg_content = (
+            '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">'
+            '<circle cx="25" cy="25" r="25" fill="green"></circle>'
+            "<g>"
+            '<rect x="0" y="0" width="10" height="10" fill="red"></rect>'
+            "</g>"
+            "</svg>"
+        )
+
+        # Assert that sanitize_svg_content removed the event handlers
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)