✅ [open-formulieren/security-issues#35] Testing svg sanitizer

Author: robinmolen

src/openforms/config/tests/test_global_configuration.py

@@ -12,7 +12,7 @@
 import clamd
 from django_webtest import WebTest
 from maykin_2fa.test import disable_admin_mfa
-from webtest import Form as WebTestForm
+from webtest import Form as WebTestForm, Upload
 
 from openforms.accounts.tests.factories import SuperUserFactory
 from openforms.tests.utils import NOOP_CACHES
@@ -165,6 +165,56 @@ def test_virus_scan_enabled_cant_connect(self):
             "Cannot connect to ClamAV: Cannot connect!",
         )
 
+    @override_settings(LANGUAGE_CODE="en")
+    def test_svg_sanitation_favicon(self):
+        bad_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green" onclick="alert(\'forget about me?\')" />
+        <script>//<![CDATA[
+        alert("I am malicious >:)")
+        //]]></script>
+        <g>
+        <rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert(\'click!\')" />
+        </g>
+        </svg>
+        """
+        sanitized_svg_content = b"""
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green"></circle>
+        //
+        alert("I am malicious &gt;:)")
+        //
+        <g>
+        <rect x="0" y="0" width="10" height="10" fill="red"></rect>
+        </g>
+        </svg>
+        """
+
+        config = GlobalConfiguration.get_solo()
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_globalconfiguration_change", args=(1,))
+            change_page = self.app.get(url)
+
+            upload = Upload(
+                "bad_svg.svg", bad_svg_content.encode("utf-8"), "image/svg+xml"
+            )
+
+            form = change_page.forms["globalconfiguration_form"]
+            form["favicon"] = upload
+            _ensure_arrayfields(form, config=config)
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            config.refresh_from_db()
+            self.assertEqual(config.favicon, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert favicon sanitized"):
+            with config.favicon.file.open("r") as favicon_file:
+                # Assert that the logo is completely sanitized
+                decoded_logo = favicon_file.read()
+                self.assertEqual(decoded_logo, sanitized_svg_content)
+
 
 class GlobalConfirmationEmailTests(TestCase):
     def setUp(self):

src/openforms/config/tests/test_theme.py

@@ -77,6 +77,54 @@ def test_upload_svg(self):
                 style_tag.text(),
             )
 
+    def test_upload_malicious_svg(self):
+        bad_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green" onclick="alert('forget about me?')" />
+        <script>//<![CDATA[
+        alert("I am malicious >:)")
+        //]]></script>
+        <g>
+        <rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert('click!')" />
+        </g>
+        </svg>
+        """
+        sanitized_svg_content = b"""
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green"></circle>
+        //
+        alert("I am malicious &gt;:)")
+        //
+        <g>
+        <rect x="0" y="0" width="10" height="10" fill="red"></rect>
+        </g>
+        </svg>
+        """
+        theme = ThemeFactory.create()
+
+        with self.subTest(part="admin config"):
+            url = reverse("admin:config_theme_change", args=(theme.pk,))
+
+            change_page = self.app.get(url)
+
+            upload = Upload(
+                "bad_svg.svg", bad_svg_content.encode("utf-8"), "image/svg+xml"
+            )
+
+            form = change_page.forms["theme_form"]
+            form["logo"] = upload
+            response = form.submit()
+
+            self.assertEqual(response.status_code, 302)
+            theme.refresh_from_db()
+            self.assertEqual(theme.logo, "logo/bad_svg.svg")
+
+        with self.subTest(part="assert logo sanitized"):
+            with theme.logo.file.open("r") as logo_file:
+                # Assert that the logo is completely sanitized
+                decoded_logo = logo_file.read()
+                self.assertEqual(decoded_logo, sanitized_svg_content)
+
     def test_upload_png(self):
         logo = Path(settings.DJANGO_PROJECT_DIR) / "static" / "img" / "digid.png"
         theme = ThemeFactory.create()

src/openforms/utils/tests/test_sanitizer.py

@@ -0,0 +1,91 @@
+import io
+
+from django.test import SimpleTestCase
+
+from ..sanitizer import sanitize_svg_content, sanitize_svg_file
+
+
+class SanitizeSvgFileTests(SimpleTestCase):
+    def test_sanitize_svg_content_removes_script_tags(self):
+        bad_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green" />
+        <script>//<![CDATA[
+        alert("I am malicious >:)")
+        //]]></script>
+        <g>
+        <rect class="btn" x="0" y="0" width="10" height="10" fill="red" />
+        </g>
+        </svg>
+        """
+        sanitized_svg_content = b"""
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green"></circle>
+        //
+        alert("I am malicious &gt;:)")
+        //
+        <g>
+        <rect x="0" y="0" width="10" height="10" fill="red"></rect>
+        </g>
+        </svg>
+        """
+
+        temp_file = io.BytesIO(bad_svg_content.encode("utf-8"))
+
+        # Assert that sanitize_svg_content removed the script tag
+        sanitized_svg_file = sanitize_svg_file(temp_file)
+        self.assertEqual(
+            sanitized_svg_file.read(), sanitized_svg_content
+        )
+
+
+class SanitizeSvgContentTests(SimpleTestCase):
+    def test_sanitize_svg_content_removes_script_tags(self):
+        bad_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green" />
+        <script>//<![CDATA[
+        alert("I am malicious >:)")
+        //]]></script>
+        <g>
+        <rect class="btn" x="0" y="0" width="10" height="10" fill="red" />
+        </g>
+        </svg>
+        """
+        sanitized_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green"></circle>
+        //
+        alert("I am malicious &gt;:)")
+        //
+        <g>
+        <rect x="0" y="0" width="10" height="10" fill="red"></rect>
+        </g>
+        </svg>
+        """
+
+        # Assert that sanitize_svg_content removed the script tag
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)
+
+    def test_sanitize_svg_content_removes_event_handlers(self):
+        bad_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green" onclick="alert('forget about me?')" />
+        <g>
+        <rect class="btn" x="0" y="0" width="10" height="10" fill="red" onload="alert('click!')" />
+        </g>
+        </svg>
+        """
+        sanitized_svg_content = """
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50">
+        <circle cx="25" cy="25" r="25" fill="green"></circle>
+        <g>
+        <rect x="0" y="0" width="10" height="10" fill="red"></rect>
+        </g>
+        </svg>
+        """
+
+        # Assert that sanitize_svg_content removed the event handlers
+        sanitized_bad_svg_content = sanitize_svg_content(bad_svg_content)
+        self.assertEqual(sanitized_svg_content, sanitized_bad_svg_content)