Sanatize SVG files when uploading

jbtronics · jbtronics · commit 2c4f44e80850 · 2025-05-18T21:00:19.000+02:00
diff --git a/composer.json b/composer.json
@@ -43,6 +43,7 @@
         "omines/datatables-bundle": "^0.9.1",
         "paragonie/sodium_compat": "^1.21",
         "part-db/label-fonts": "^1.0",
+        "rhukster/dom-sanitizer": "^1.0",
         "runtime/frankenphp-symfony": "^0.2.0",
         "s9e/text-formatter": "^2.1",
         "scheb/2fa-backup-code": "^6.8.0",
diff --git a/composer.lock b/composer.lock
diff --git a/src/Services/Attachments/AttachmentSubmitHandler.php b/src/Services/Attachments/AttachmentSubmitHandler.php
@@ -65,7 +65,7 @@ class AttachmentSubmitHandler
         'htpasswd', ''];
 
     public function __construct(protected AttachmentPathResolver $pathResolver, protected bool $allow_attachments_downloads,
-        protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes,
+        protected HttpClientInterface $httpClient, protected MimeTypesInterface $mimeTypes, protected readonly SVGSanitizer $SVGSanitizer,
         protected FileTypeFilterTools $filterTools, /**
          * @var string The user configured maximum upload size. This is a string like "10M" or "1G" and will be converted to
          */
@@ -214,6 +214,9 @@ public function handleUpload(Attachment $attachment, ?AttachmentUpload $upload):
         //Move the attachment files to secure location (and back) if needed
         $this->moveFile($attachment, $secure_attachment);
 
+        //Sanitize the SVG if needed
+        $this->sanitizeSVGFiles($attachment);
+
         //Rename blacklisted (unsecure) files to a better extension
         $this->renameBlacklistedExtensions($attachment);
 
@@ -498,4 +501,32 @@ public function getMaximumAllowedUploadSize(): int
 
         return $this->max_upload_size_bytes;
     }
+
+    /**
+     * Sanatizes the given SVG file, if the attachment is an internal SVG file.
+     * @param  Attachment  $attachment
+     * @return Attachment
+     */
+    protected function sanitizeSVGFiles(Attachment $attachment): Attachment
+    {
+        //We can not do anything on builtins or external ressources
+        if ($attachment->isBuiltIn() || !$attachment->hasInternal()) {
+            return $attachment;
+        }
+
+        //Resolve the path to the file
+        $path = $this->pathResolver->placeholderToRealPath($attachment->getInternalPath());
+
+        //Check if the file exists
+        if (!file_exists($path)) {
+            return $attachment;
+        }
+
+        //Check if the file is an SVG
+        if ($attachment->getExtension() === "svg") {
+            $this->SVGSanitizer->sanitizeFile($path);
+        }
+
+        return $attachment;
+    }
 }
diff --git a/src/Services/Attachments/SVGSanitizer.php b/src/Services/Attachments/SVGSanitizer.php
@@ -0,0 +1,58 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2025 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+
+namespace App\Services\Attachments;
+
+use Rhukster\DomSanitizer\DOMSanitizer;
+
+class SVGSanitizer
+{
+
+    /**
+     * Sanitizes the given SVG string by removing any potentially harmful content (like inline scripts).
+     * @param  string  $input
+     * @return string
+     */
+    public function sanitizeString(string $input): string
+    {
+        return (new DOMSanitizer(DOMSanitizer::SVG))->sanitize($input);
+    }
+
+    /**
+     * Sanitizes the given SVG file by removing any potentially harmful content (like inline scripts).
+     * The sanitized content is written back to the file.
+     * @param  string  $filepath
+     */
+    public function sanitizeFile(string $filepath): void
+    {
+        //Open the file and read the content
+        $content = file_get_contents($filepath);
+        if ($content === false) {
+            throw new \RuntimeException('Could not read file: ' . $filepath);
+        }
+        //Sanitize the content
+        $sanitizedContent = $this->sanitizeString($content);
+        //Write the sanitized content back to the file
+        file_put_contents($filepath, $sanitizedContent);
+    }
+}
