ILIAS  release_8 Revision v8.19
All Data Structures Namespaces Files Functions Variables Modules Pages
SVGPreProcessorTest.php
Go to the documentation of this file.
1 <?php
2 
19 namespace ILIAS\FileUpload\Processor;
20 
21 require_once('./libs/composer/vendor/autoload.php');
22 
23 use PHPUnit\Framework\TestCase;
24 use ILIAS\FileUpload\DTO\Metadata;
25 use ILIAS\Filesystem\Stream\Streams;
26 use ILIAS\FileUpload\DTO\ProcessingStatus;
27 
31 class SVGPreProcessorTest extends TestCase
32 {
36  protected function getPreProcessor(): SVGBlacklistPreProcessor
37  {
38  return new SVGBlacklistPreProcessor(
39  'The SVG file contains malicious code.',
40  '(script)',
41  '(base64)',
42  ''
43  );
44  }
45 
46  public function maliciousSVGProvider(): array
47  {
48  return [
49  [
50  '<svg width="100" height="100">
51  <foreignObject width="100%" height="100%">
52  <script>alert(document.domain);</script>
53  </foreignObject>
54 </svg>',
55  'script'
56  ],
57  [
58  '<svg width="100" height="100">
59  <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
60 
61  </foreignObject>
62 </svg>',
63  'onclick'
64  ],
65  [
66  '<svg version="1.1" baseProfile="full"
67 xmlns="http://www.w3.org/2000/svg">
68 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
69 <script type="text/javascript">
70 alert("XSS in SVG on " + document.domain );
71 </script>
72 </svg>',
73  'script'
74  ],
75  [
76  '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
77 <use xlink:href="data:application/xml;base64 ,
78 PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
79 PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
80 jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
81 FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
82 aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
83 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
84 </svg>',
85  'base64'
86  ]
87  ];
88  }
89 
93  public function testMaliciousSVG(string $malicious_svg, string $type): void
94  {
95  $preProcessor = $this->getPreProcessor();
96  $stream = Streams::ofString($malicious_svg);
97  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
98 
99  $result = $preProcessor->process($stream, $metadata);
100 
101  $this->assertFalse($result->getCode() === ProcessingStatus::OK);
102  $this->assertTrue($result->getCode() === ProcessingStatus::DENIED);
103  $this->assertSame('The SVG file contains malicious code. (' . $type . ')', $result->getMessage());
104  }
105 
106  public function testSaneSVG(): void
107  {
108  $svg = '<svg version="1.1" baseProfile="full"
109 xmlns="http://www.w3.org/2000/svg">
110 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
111 </svg>';
112 
113  $preProcessor = $this->getPreProcessor();
114  $stream = Streams::ofString($svg);
115  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
116 
117  $result = $preProcessor->process($stream, $metadata);
118 
119  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
120  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
121  $this->assertSame('SVG OK', $result->getMessage());
122  }
123 
124  public function provideSomeComplexSaneSVG(): array
125  {
126  return [
127  ['./templates/default/images/bigplay.svg'],
128  ['./templates/default/images/jstree.svg'],
129  ['./templates/default/images/loader.svg'],
130  ['./templates/default/images/col.svg'],
131  ['./templates/default/images/HeaderIcon.svg'],
132  ['./templates/default/images/answered_not.svg'],
133  ];
134  }
135 
139  public function testSomeComplexSaneSVG(string $path): void
140  {
141  $this->assertTrue(file_exists($path));
142  $svg = file_get_contents($path);
143 
144  $preProcessor = $this->getPreProcessor();
145  $stream = Streams::ofString($svg);
146  $metadata = new Metadata('bigplay.svg', 100, 'image/svg+xml');
147 
148  $result = $preProcessor->process($stream, $metadata);
149 
150  $this->assertSame('SVG OK', $result->getMessage());
151  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
152  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
153  }
154 }
ILIAS\FileUpload\DTO\ProcessingStatus\REJECTED
const REJECTED
Upload got rejected by a processor.
Definition: ProcessingStatus.php:46
$type
$type
Definition: proxy_ylocal.php:10
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testMaliciousSVG
testMaliciousSVG(string $malicious_svg, string $type)
maliciousSVGProvider
Definition: SVGPreProcessorTest.php:93
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testSomeComplexSaneSVG
testSomeComplexSaneSVG(string $path)
provideSomeComplexSaneSVG
Definition: SVGPreProcessorTest.php:139
$path
$path
Definition: ltiservices.php:32
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
ILIAS\FileUpload\DTO\ProcessingStatus\DENIED
const DENIED
Upload got denied by a processor, the upload will be removed immediately.
Definition: ProcessingStatus.php:50
ILIAS\Filesystem\Stream\Streams\ofString
static ofString(string $string)
Creates a new stream with an initial value.
Definition: Streams.php:43