ILIAS  release_8 Revision v8.24
SVGPreProcessorTest.php
Go to the documentation of this file.
1<?php
2
19namespace ILIAS\FileUpload\Processor;
20
21require_once('./libs/composer/vendor/autoload.php');
22
23use PHPUnit\Framework\TestCase;
24use ILIAS\FileUpload\DTO\Metadata;
25use ILIAS\Filesystem\Stream\Streams;
26use ILIAS\FileUpload\DTO\ProcessingStatus;
27
31class SVGPreProcessorTest extends TestCase
32{
36 protected function getPreProcessor(): SVGBlacklistPreProcessor
37 {
38 return new SVGBlacklistPreProcessor(
39 'The SVG file contains malicious code.',
40 '(script)',
41 '(base64)',
42 ''
43 );
44 }
45
46 public function maliciousSVGProvider(): array
47 {
48 return [
49 [
50 '<svg width="100" height="100">
51 <foreignObject width="100%" height="100%">
52 <script>alert(document.domain);</script>
53 </foreignObject>
54</svg>',
55 'script'
56 ],
57 [
58 '<svg width="100" height="100">
59 <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
60
61 </foreignObject>
62</svg>',
63 'onclick'
64 ],
65 [
66 '<svg version="1.1" baseProfile="full"
67xmlns="http://www.w3.org/2000/svg">
68<rect width="100" height="100" style="fill:rgb(0,0,255);" />
69<script type="text/javascript">
70alert("XSS in SVG on " + document.domain );
71</script>
72</svg>',
73 'script'
74 ],
75 [
76 '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
77<use xlink:href="data:application/xml;base64 ,
78PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
79PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
80jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
81FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
82aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
838+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
84</svg>',
85 'base64'
86 ]
87 ];
88 }
89
93 public function testMaliciousSVG(string $malicious_svg, string $type): void
94 {
95 $preProcessor = $this->getPreProcessor();
96 $stream = Streams::ofString($malicious_svg);
97 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
98
99 $result = $preProcessor->process($stream, $metadata);
100
101 $this->assertFalse($result->getCode() === ProcessingStatus::OK);
102 $this->assertTrue($result->getCode() === ProcessingStatus::DENIED);
103 $this->assertSame('The SVG file contains malicious code. (' . $type . ')', $result->getMessage());
104 }
105
106 public function testSaneSVG(): void
107 {
108 $svg = '<svg version="1.1" baseProfile="full"
109xmlns="http://www.w3.org/2000/svg">
110<rect width="100" height="100" style="fill:rgb(0,0,255);" />
111</svg>';
112
113 $preProcessor = $this->getPreProcessor();
114 $stream = Streams::ofString($svg);
115 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
116
117 $result = $preProcessor->process($stream, $metadata);
118
119 $this->assertTrue($result->getCode() === ProcessingStatus::OK);
120 $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
121 $this->assertSame('SVG OK', $result->getMessage());
122 }
123
124 public function provideSomeComplexSaneSVG(): array
125 {
126 return [
127 ['./templates/default/images/bigplay.svg'],
128 ['./templates/default/images/jstree.svg'],
129 ['./templates/default/images/loader.svg'],
130 ['./templates/default/images/col.svg'],
131 ['./templates/default/images/HeaderIcon.svg'],
132 ['./templates/default/images/answered_not.svg'],
133 ];
134 }
135
139 public function testSomeComplexSaneSVG(string $path): void
140 {
141 $this->assertTrue(file_exists($path));
142 $svg = file_get_contents($path);
143
144 $preProcessor = $this->getPreProcessor();
145 $stream = Streams::ofString($svg);
146 $metadata = new Metadata('bigplay.svg', 100, 'image/svg+xml');
147
148 $result = $preProcessor->process($stream, $metadata);
149
150 $this->assertSame('SVG OK', $result->getMessage());
151 $this->assertTrue($result->getCode() === ProcessingStatus::OK);
152 $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
153 }
154}
ILIAS\FileUpload\DTO\ProcessingStatus\REJECTED
const REJECTED
Upload got rejected by a processor.
Definition: ProcessingStatus.php:46
ILIAS\FileUpload\DTO\ProcessingStatus\DENIED
const DENIED
Upload got denied by a processor, the upload will be removed immediately.
Definition: ProcessingStatus.php:50
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testMaliciousSVG
testMaliciousSVG(string $malicious_svg, string $type)
@dataProvider maliciousSVGProvider
Definition: SVGPreProcessorTest.php:93
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testSomeComplexSaneSVG
testSomeComplexSaneSVG(string $path)
@dataProvider provideSomeComplexSaneSVG
Definition: SVGPreProcessorTest.php:139
ILIAS\Filesystem\Stream\Streams\ofString
static ofString(string $string)
Creates a new stream with an initial value.
Definition: Streams.php:43
$path
$path
Definition: ltiservices.php:32
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
$type
$type
Definition: proxy_ylocal.php:10