FileUpload: Prohibit Inclusion of Foreign Objects

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: kergomard

components/ILIAS/FileUpload/src/Processor/SVGBlacklistPreProcessor.php

@@ -35,11 +35,13 @@ final class SVGBlacklistPreProcessor implements PreProcessor
 
     private const SVG_MIME_TYPE = 'image/svg+xml';
     private const REGEX_SCRIPT = '/<script/m';
+    private const REGEX_FOREIGN_OBJECT = '/<foreignObject/m';
     private const REGEX_BASE64 = '/data:.*;base64/m';
     private const SVG = 'svg';
     private string $rejection_message = 'The SVG file contains possibily malicious code.';
     private string $rejection_message_script;
     private string $rejection_message_base64;
+    private string $rejection_message_foreign_object;
     private string $rejection_message_elements;
     private string $ok_message = 'SVG OK';
     /**
@@ -124,11 +126,13 @@ public function __construct(
         ?string $rejection_message = null,
         ?string $additional_message_script = null,
         ?string $additional_message_base64 = null,
-        ?string $additional_message_elements = null,
+        ?string $additional_message_foreign_object = null,
+        ?string $additional_message_elements = null
     ) {
         $this->rejection_message = $rejection_message ?? $this->rejection_message;
         $this->rejection_message_script = $additional_message_script ?? 'contains script tags';
         $this->rejection_message_base64 = $additional_message_base64 ?? 'contains base64 encoded content';
+        $this->rejection_message_foreign_object = $additional_message_foreign_object ?? 'contains foreign object';
         $this->rejection_message_elements = $additional_message_elements ?? 'contains not allowed or unknown elements or attributes';
     }
 
@@ -209,6 +213,12 @@ private function hasContentScriptTag(string $raw_svg_content): bool
             return true;
         }
 
+        // Check for script tags directly
+        if (preg_match(self::REGEX_FOREIGN_OBJECT, $raw_svg_content)) {
+            $this->rejection_message .= ' ' . $this->rejection_message_foreign_object;
+            return true;
+        }
+
         return false;
     }
 
@@ -227,7 +237,7 @@ protected function getDOMAttributesLooper(): \Closure
                 }
                 foreach ($node->childNodes as $child) {
                     if ($child instanceof \DOMElement) {
-                        if(!$attributes_looper($child, $closure)) {
+                        if (!$attributes_looper($child, $closure)) {
                             return false;
                         }
                     }

components/ILIAS/FileUpload/tests/Processor/SVGPreProcessorTest.php

@@ -39,7 +39,7 @@ protected function getPreProcessor(): SVGBlacklistPreProcessor
             'The SVG file contains malicious code.',
             '(script)',
             '(base64)',
-            ''
+            '(foreignObject)',
         );
     }
 
@@ -60,7 +60,7 @@ public static function maliciousSVGProvider(): array
         
     </foreignObject>
 </svg>',
-                'onclick'
+                'foreignObject'
             ],
             [
                 '<svg version="1.1" baseProfile="full"

components/ILIAS/Init/classes/class.ilInitialisation.php

@@ -341,6 +341,7 @@ public static function initFileUploadService(\ILIAS\DI\Container $dic): void
                 $c->language()->txt("upload_svg_rejection_message"),
                 $c->language()->txt("upload_svg_rejection_message_script"),
                 $c->language()->txt("upload_svg_rejection_message_base64"),
+                $c->language()->txt("upload_svg_rejection_message_foreign_object"),
                 $c->language()->txt("upload_svg_rejection_message_elements")
             ));
 

lang/ilias_de.lang

@@ -5896,6 +5896,7 @@ common#:#upload_settings#:#Upload-Einstellungen
 common#:#upload_svg_rejection_message#:#Eine hochgeladene SVG-Datei enthält möglicherweise bösartigen Code und kann nicht verarbeitet werden.
 common#:#upload_svg_rejection_message_base64#:#Die Datei enthält base64 kodierten Inhalt.
 common#:#upload_svg_rejection_message_elements#:#Die Datei enthält Elemente oder Attribute, die nicht erlaubt oder bekannt sind.
+common#:#upload_svg_rejection_message_foreign_object#:#Die Datei bindet externe Objekte ein.
 common#:#upload_svg_rejection_message_script#:#Die Datei enthält Skript-Elemente.
 common#:#uploaded_and_checked#:#Die Datei wurde hochgeladen und überprüft, Sie können sie nun importieren.
 common#:#uploading#:#Hochladen...

lang/ilias_en.lang

@@ -5897,6 +5897,7 @@ common#:#upload_settings#:#Upload Settings
 common#:#upload_svg_rejection_message#:#An uploaded SVG file contains possibily malicious code and cannot be processed.
 common#:#upload_svg_rejection_message_base64#:#The file contains base64 encoded content.
 common#:#upload_svg_rejection_message_elements#:#The file contains elements or attributes which are not allowed or known.
+common#:#upload_svg_rejection_message_foreign_object#:#The file contains foreign objects.
 common#:#upload_svg_rejection_message_script#:#The file contains script-Elements.
 common#:#uploaded_and_checked#:#The file has been uploaded and checked, you can now start to import it.
 common#:#uploading#:#Uploading...