ILIAS  trunk Revision v11.0_alpha-2662-g519ff7d528f
SVGPreProcessorTest.php
Go to the documentation of this file.
1 <?php
2 
19 namespace ILIAS\FileUpload\Processor;
20 
21 use PHPUnit\Framework\Attributes\DataProvider;
22 
23 require_once('./vendor/composer/vendor/autoload.php');
24 
25 use PHPUnit\Framework\TestCase;
26 use ILIAS\FileUpload\DTO\Metadata;
27 use ILIAS\Filesystem\Stream\Streams;
28 use ILIAS\FileUpload\DTO\ProcessingStatus;
29 
33 class SVGPreProcessorTest extends TestCase
34 {
38  protected function getPreProcessor(): SVGBlacklistPreProcessor
39  {
40  return new SVGBlacklistPreProcessor(
41  'The SVG file contains malicious code.',
42  '(script)',
43  '(base64)',
44  ''
45  );
46  }
47 
48  public static function maliciousSVGProvider(): \Iterator
49  {
50  yield [
51  '<svg width="100" height="100">
52  <foreignObject width="100%" height="100%">
53  <script>alert(document.domain);</script>
54  </foreignObject>
55 </svg>',
56  'script'
57  ];
58  yield [
59  '<svg width="100" height="100">
60  <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
61 
62  </foreignObject>
63 </svg>',
64  'onclick'
65  ];
66  yield [
67  '<svg version="1.1" baseProfile="full"
68 xmlns="http://www.w3.org/2000/svg">
69 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
70 <script type="text/javascript">
71 alert("XSS in SVG on " + document.domain );
72 </script>
73 </svg>',
74  'script'
75  ];
76  yield [
77  '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
78 <use xlink:href="data:application/xml;base64 ,
79 PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
80 PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
81 jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
82 FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
83 aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
84 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
85 </svg>',
86  'base64'
87  ];
88  }
89 
90  #[DataProvider('maliciousSVGProvider')]
91  public function testMaliciousSVG(string $malicious_svg, string $type): void
92  {
93  $preProcessor = $this->getPreProcessor();
94  $stream = Streams::ofString($malicious_svg);
95  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
96 
97  $result = $preProcessor->process($stream, $metadata);
98 
99  $this->assertNotSame(ProcessingStatus::OK, $result->getCode());
100  $this->assertSame(ProcessingStatus::DENIED, $result->getCode());
101  $this->assertSame('The SVG file contains malicious code. (' . $type . ')', $result->getMessage());
102  }
103 
104  public function testSaneSVG(): void
105  {
106  $svg = '<svg version="1.1" baseProfile="full"
107 xmlns="http://www.w3.org/2000/svg">
108 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
109 </svg>';
110 
111  $preProcessor = $this->getPreProcessor();
112  $stream = Streams::ofString($svg);
113  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
114 
115  $result = $preProcessor->process($stream, $metadata);
116 
117  $this->assertSame(ProcessingStatus::OK, $result->getCode());
118  $this->assertNotSame(ProcessingStatus::REJECTED, $result->getCode());
119  $this->assertSame('SVG OK', $result->getMessage());
120  }
121 
122  public static function provideSomeComplexSaneSVG(): \Iterator
123  {
124  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/bigplay.svg'];
125  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/nav/jstree.svg'];
126  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/loader.svg'];
127  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/col.svg'];
128  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/logo/HeaderIcon.svg'];
129  yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/answered_not.svg'];
130  }
131 
132  #[DataProvider('provideSomeComplexSaneSVG')]
133  public function testSomeComplexSaneSVG(string $path): void
134  {
135  $this->assertFileExists($path);
136  $svg = file_get_contents($path);
137 
138  $preProcessor = $this->getPreProcessor();
139  $stream = Streams::ofString($svg);
140  $metadata = new Metadata('media/bigplay.svg', 100, 'image/svg+xml');
141 
142  $result = $preProcessor->process($stream, $metadata);
143 
144  $this->assertSame('SVG OK', $result->getMessage());
145  $this->assertSame(ProcessingStatus::OK, $result->getCode());
146  $this->assertNotSame(ProcessingStatus::REJECTED, $result->getCode());
147  }
148 }
$path
$path
Definition: ltiservices.php:29
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
ILIAS\Filesystem\Stream\Streams\ofString
static ofString(string $string)
Creates a new stream with an initial value.
Definition: Streams.php:41