ILIAS  release_7 Revision v7.30-3-g800a261c036
SVGPreProcessorTest.php
Go to the documentation of this file.
1<?php
2
19namespace ILIAS\FileUpload\Processor;
20
21require_once('./libs/composer/vendor/autoload.php');
22
23use PHPUnit\Framework\TestCase;
24use ILIAS\FileUpload\DTO\Metadata;
25use ILIAS\Filesystem\Stream\Streams;
26use ILIAS\FileUpload\DTO\ProcessingStatus;
27
31class SVGPreProcessorTest extends TestCase
32{
33 public function maliciousSVGProvider() : array
34 {
35 return [
36 [
37 '<svg width="100" height="100">
38 <foreignObject width="100%" height="100%">
39 <script>alert(document.domain);</script>
40 </foreignObject>
41</svg>',
42 'script'
43 ],
44 [
45 '<svg width="100" height="100">
46 <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
47
48 </foreignObject>
49</svg>',
50 'onclick'
51 ],
52 [
53 '<svg version="1.1" baseProfile="full"
54xmlns="http://www.w3.org/2000/svg">
55<rect width="100" height="100" style="fill:rgb(0,0,255);" />
56<script type="text/javascript">
57alert("XSS in SVG on " + document.domain );
58</script>
59</svg>',
60 'script'
61 ],
62 [
63 '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
64<use xlink:href="data:application/xml;base64 ,
65PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
66PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
67jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
68FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
69aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
708+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
71</svg>',
72 'base64'
73 ]
74 ];
75 }
76
80 public function testMaliciousSVG(string $malicious_svg, string $type) : void
81 {
82 $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains malicious code.');
83 $stream = Streams::ofString($malicious_svg);
84 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
85
86 $result = $preProcessor->process($stream, $metadata);
87
88 $this->assertFalse($result->getCode() === ProcessingStatus::OK);
89 $this->assertTrue($result->getCode() === ProcessingStatus::DENIED);
90 $this->assertSame('The SVG file contains malicious code. (' . $type . ').', $result->getMessage());
91 }
92
93 public function testSaneSVG() : void
94 {
95 $svg = '<svg version="1.1" baseProfile="full"
96xmlns="http://www.w3.org/2000/svg">
97<rect width="100" height="100" style="fill:rgb(0,0,255);" />
98</svg>';
99
100 $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains possibily malicious code.');
101 $stream = Streams::ofString($svg);
102 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
103
104 $result = $preProcessor->process($stream, $metadata);
105
106 $this->assertTrue($result->getCode() === ProcessingStatus::OK);
107 $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
108 $this->assertSame('SVG OK', $result->getMessage());
109 }
110
111 public function provideSomeComplexSaneSVG() : array
112 {
113 return [
114 ['./templates/default/images/bigplay.svg'],
115 ['./templates/default/images/jstree.svg'],
116 ['./templates/default/images/loader.svg'],
117 ['./templates/default/images/col.svg'],
118 ['./templates/default/images/HeaderIcon.svg'],
119 ['./templates/default/images/answered_not.svg'],
120 ];
121 }
122
126 public function testSomeComplexSaneSVG(string $path) : void
127 {
128 $this->assertTrue(file_exists($path));
129 $svg = file_get_contents($path);
130
131 $preProcessor = new SVGBlacklistPreProcessor('The SVG file contains possibily malicious code.');
132 $stream = Streams::ofString($svg);
133 $metadata = new Metadata('bigplay.svg', 100, 'image/svg+xml');
134
135 $result = $preProcessor->process($stream, $metadata);
136
137 $this->assertSame('SVG OK', $result->getMessage());
138 $this->assertTrue($result->getCode() === ProcessingStatus::OK);
139 $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
140 }
141}
$result
$result
Definition: CleanUpTest.php:463
php
An exception for terminatinating execution or to throw for unit testing.
ILIAS\FileUpload\DTO\ProcessingStatus\REJECTED
const REJECTED
Upload got rejected by a processor.
Definition: ProcessingStatus.php:46
ILIAS\FileUpload\DTO\ProcessingStatus\DENIED
const DENIED
Upload got denied by a processor, the upload will be removed immediately.
Definition: ProcessingStatus.php:50
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testMaliciousSVG
testMaliciousSVG(string $malicious_svg, string $type)
@dataProvider maliciousSVGProvider
Definition: SVGPreProcessorTest.php:80
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testSomeComplexSaneSVG
testSomeComplexSaneSVG(string $path)
@dataProvider provideSomeComplexSaneSVG
Definition: SVGPreProcessorTest.php:126
ILIAS\Filesystem\Stream\Streams
Class Streams Stream factory which enables the user to create streams without the knowledge of the co...
Definition: Streams.php:17
ILIAS\Filesystem\Stream\Streams\ofString
static ofString($string)
Creates a new stream with an initial value.
Definition: Streams.php:25
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
$type
$type
Definition: proxy_ylocal.php:10