|
2 | 2 |
|
3 | 3 | namespace Webkul\Core\Traits; |
4 | 4 |
|
| 5 | +use enshrined\svgSanitize\data\AllowedAttributes; |
| 6 | +use enshrined\svgSanitize\data\AllowedTags; |
5 | 7 | use enshrined\svgSanitize\Sanitizer as MainSanitizer; |
| 8 | +use Exception; |
| 9 | +use Illuminate\Http\UploadedFile; |
6 | 10 | use Illuminate\Support\Facades\Storage; |
7 | 11 |
|
| 12 | +/** |
| 13 | + * Trait for sanitizing SVG uploads to prevent security vulnerabilities. |
| 14 | + */ |
8 | 15 | trait Sanitizer |
9 | 16 | { |
10 | 17 | /** |
11 | | - * List of mime types which needs to check. |
| 18 | + * Sanitize an SVG file to remove potentially malicious content. |
12 | 19 | */ |
13 | | - public $mimeTypes = [ |
14 | | - 'image/svg', |
15 | | - 'image/svg+xml', |
16 | | - ]; |
17 | | - |
18 | | - /** |
19 | | - * Sanitize SVG file. |
20 | | - * |
21 | | - * @param string $path |
22 | | - * @return void |
23 | | - */ |
24 | | - public function sanitizeSVG($path, $mimeType) |
| 20 | + public function sanitizeSvg(string $path, UploadedFile $file): void |
25 | 21 | { |
26 | | - if ($this->checkMimeType($mimeType)) { |
27 | | - /* sanitizer instance */ |
| 22 | + if (! $this->isSvgFile($file)) { |
| 23 | + return; |
| 24 | + } |
| 25 | + |
| 26 | + try { |
| 27 | + $svgContent = Storage::get($path); |
| 28 | + |
| 29 | + if (! $svgContent) { |
| 30 | + return; |
| 31 | + } |
| 32 | + |
28 | 33 | $sanitizer = new MainSanitizer; |
| 34 | + $sanitizer->setAllowedAttrs(new AllowedAttributes); |
| 35 | + $sanitizer->setAllowedTags(new AllowedTags); |
| 36 | + |
| 37 | + $sanitizer->minify(true); |
| 38 | + $sanitizer->removeRemoteReferences(true); |
| 39 | + $sanitizer->removeXMLTag(true); |
| 40 | + |
| 41 | + $sanitizer->setXMLOptions(LIBXML_NONET | LIBXML_NOBLANKS); |
| 42 | + |
| 43 | + $sanitizedContent = $sanitizer->sanitize($svgContent); |
| 44 | + |
| 45 | + if ($sanitizedContent === false) { |
| 46 | + $patterns = [ |
| 47 | + '/<script\b[^>]*>(.*?)<\/script>/is', |
| 48 | + '/\bon\w+\s*=\s*["\'][^"\']*["\']/i', |
| 49 | + '/javascript\s*:/i', |
| 50 | + '/data\s*:[^,]*base64/i', |
| 51 | + ]; |
| 52 | + |
| 53 | + $sanitizedContent = $svgContent; |
| 54 | + |
| 55 | + foreach ($patterns as $pattern) { |
| 56 | + $sanitizedContent = preg_replace($pattern, '', $sanitizedContent); |
| 57 | + } |
| 58 | + |
| 59 | + Storage::put($path, $sanitizedContent); |
| 60 | + |
| 61 | + return; |
| 62 | + } |
| 63 | + |
| 64 | + $sanitizedContent = preg_replace('/(<script.*?>.*?<\/script>)|(\son\w+\s*=\s*["\'][^"\']*["\'])/is', '', $sanitizedContent); |
29 | 65 |
|
30 | | - /* grab svg file */ |
31 | | - $dirtySVG = Storage::get($path); |
| 66 | + Storage::put($path, $sanitizedContent); |
| 67 | + } catch (Exception $e) { |
| 68 | + report($e->getMessage()); |
32 | 69 |
|
33 | | - /* save sanitized svg */ |
34 | | - Storage::put($path, $sanitizer->sanitize($dirtySVG)); |
| 70 | + Storage::delete($path); |
35 | 71 | } |
36 | 72 | } |
37 | 73 |
|
38 | 74 | /** |
39 | | - * Sanitize SVG file. |
40 | | - * |
41 | | - * @param string $path |
42 | | - * @return void |
| 75 | + * Check if the uploaded file is an SVG based on both extension and mime type. |
43 | 76 | */ |
44 | | - public function checkMimeType($mimeType) |
| 77 | + public function isSvgFile(UploadedFile $file): bool |
45 | 78 | { |
46 | | - return in_array($mimeType, $this->mimeTypes); |
| 79 | + return str_contains(strtolower($file->getClientOriginalExtension()), 'svg'); |
47 | 80 | } |
48 | 81 | } |
0 commit comments