ILIAS  release_7 Revision v7.30-3-g800a261c036
All Data Structures Namespaces Files Functions Variables Modules Pages
SVGPreProcessorTest.php
Go to the documentation of this file.
1 <?php
2 
19 namespace ILIAS\FileUpload\Processor;
20 
21 require_once('./libs/composer/vendor/autoload.php');
22 
23 use PHPUnit\Framework\TestCase;
24 use ILIAS\FileUpload\DTO\Metadata;
25 use ILIAS\Filesystem\Stream\Streams;
26 use ILIAS\FileUpload\DTO\ProcessingStatus;
27 
31 class SVGPreProcessorTest extends TestCase
32 {
33  public function maliciousSVGProvider() : array
34  {
35  return [
36  [
37  '<svg width="100" height="100">
38  <foreignObject width="100%" height="100%">
39  <script>alert(document.domain);</script>
40  </foreignObject>
41 </svg>',
42  'script'
43  ],
44  [
45  '<svg width="100" height="100">
46  <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
47 
48  </foreignObject>
49 </svg>',
50  'onclick'
51  ],
52  [
53  '<svg version="1.1" baseProfile="full"
54 xmlns="http://www.w3.org/2000/svg">
55 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
56 <script type="text/javascript">
57 alert("XSS in SVG on " + document.domain );
58 </script>
59 </svg>',
60  'script'
61  ],
62  [
63  '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
64 <use xlink:href="data:application/xml;base64 ,
65 PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
66 PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
67 jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
68 FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
69 aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
70 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
71 </svg>',
72  'base64'
73  ]
74  ];
75  }
76 
80  public function testMaliciousSVG(string $malicious_svg, string $type) : void
81  {
82  $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains malicious code.');
83  $stream = Streams::ofString($malicious_svg);
84  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
85 
86  $result = $preProcessor->process($stream, $metadata);
87 
88  $this->assertFalse($result->getCode() === ProcessingStatus::OK);
89  $this->assertTrue($result->getCode() === ProcessingStatus::DENIED);
90  $this->assertSame('The SVG file contains malicious code. (' . $type . ').', $result->getMessage());
91  }
92 
93  public function testSaneSVG() : void
94  {
95  $svg = '<svg version="1.1" baseProfile="full"
96 xmlns="http://www.w3.org/2000/svg">
97 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
98 </svg>';
99 
100  $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains possibily malicious code.');
101  $stream = Streams::ofString($svg);
102  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
103 
104  $result = $preProcessor->process($stream, $metadata);
105 
106  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
107  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
108  $this->assertSame('SVG OK', $result->getMessage());
109  }
110 
111  public function provideSomeComplexSaneSVG() : array
112  {
113  return [
114  ['./templates/default/images/bigplay.svg'],
115  ['./templates/default/images/jstree.svg'],
116  ['./templates/default/images/loader.svg'],
117  ['./templates/default/images/col.svg'],
118  ['./templates/default/images/HeaderIcon.svg'],
119  ['./templates/default/images/answered_not.svg'],
120  ];
121  }
122 
126  public function testSomeComplexSaneSVG(string $path) : void
127  {
128  $this->assertTrue(file_exists($path));
129  $svg = file_get_contents($path);
130 
131  $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains possibily malicious code.');
132  $stream = Streams::ofString($svg);
133  $metadata = new Metadata('bigplay.svg', 100, 'image/svg+xml');
134 
135  $result = $preProcessor->process($stream, $metadata);
136 
137  $this->assertSame('SVG OK', $result->getMessage());
138  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
139  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
140  }
141 }
ILIAS\FileUpload\DTO\ProcessingStatus\REJECTED
const REJECTED
Upload got rejected by a processor.
Definition: ProcessingStatus.php:46
$result
$result
Definition: CleanUpTest.php:463
$type
$type
Definition: proxy_ylocal.php:10
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testMaliciousSVG
testMaliciousSVG(string $malicious_svg, string $type)
maliciousSVGProvider
Definition: SVGPreProcessorTest.php:80
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testSomeComplexSaneSVG
testSomeComplexSaneSVG(string $path)
provideSomeComplexSaneSVG
Definition: SVGPreProcessorTest.php:126
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
ILIAS\Filesystem\Stream\Streams\ofString
static ofString($string)
Creates a new stream with an initial value.
Definition: Streams.php:25
ILIAS\FileUpload\DTO\ProcessingStatus\DENIED
const DENIED
Upload got denied by a processor, the upload will be removed immediately.
Definition: ProcessingStatus.php:50
Streams
Exercise XML Parser which completes/updates a given file by an xml string.