ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
SVGPreProcessorTest.php
Go to the documentation of this file.
1<?php
2
19namespace ILIAS\FileUpload\Processor;
20
21use PHPUnit\Framework\Attributes\DataProvider;
22
23require_once('./vendor/composer/vendor/autoload.php');
24
25use PHPUnit\Framework\TestCase;
26use ILIAS\FileUpload\DTO\Metadata;
27use ILIAS\Filesystem\Stream\Streams;
28use ILIAS\FileUpload\DTO\ProcessingStatus;
29
33class SVGPreProcessorTest extends TestCase
34{
38 protected function getPreProcessor(): SVGBlacklistPreProcessor
39 {
40 return new SVGBlacklistPreProcessor(
41 'The SVG file contains malicious code.',
42 '(script)',
43 '(base64)',
44 ''
45 );
46 }
47
48 public static function maliciousSVGProvider(): \Iterator
49 {
50 yield [
51 '<svg width="100" height="100">
52 <foreignObject width="100%" height="100%">
53 <script>alert(document.domain);</script>
54 </foreignObject>
55</svg>',
56 'script'
57 ];
58 yield [
59 '<svg width="100" height="100">
60 <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
61
62 </foreignObject>
63</svg>',
64 'onclick'
65 ];
66 yield [
67 '<svg version="1.1" baseProfile="full"
68xmlns="http://www.w3.org/2000/svg">
69<rect width="100" height="100" style="fill:rgb(0,0,255);" />
70<script type="text/javascript">
71alert("XSS in SVG on " + document.domain );
72</script>
73</svg>',
74 'script'
75 ];
76 yield [
77 '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
78<use xlink:href="data:application/xml;base64 ,
79PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
80PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
81jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
82FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
83aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
848+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
85</svg>',
86 'base64'
87 ];
88 }
89
90 #[DataProvider('maliciousSVGProvider')]
91 public function testMaliciousSVG(string $malicious_svg, string $type): void
92 {
93 $preProcessor = $this->getPreProcessor();
94 $stream = Streams::ofString($malicious_svg);
95 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
96
97 $result = $preProcessor->process($stream, $metadata);
98
99 $this->assertNotSame(ProcessingStatus::OK, $result->getCode());
100 $this->assertSame(ProcessingStatus::DENIED, $result->getCode());
101 $this->assertSame('The SVG file contains malicious code. (' . $type . ')', $result->getMessage());
102 }
103
104 public function testSaneSVG(): void
105 {
106 $svg = '<svg version="1.1" baseProfile="full"
107xmlns="http://www.w3.org/2000/svg">
108<rect width="100" height="100" style="fill:rgb(0,0,255);" />
109</svg>';
110
111 $preProcessor = $this->getPreProcessor();
112 $stream = Streams::ofString($svg);
113 $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
114
115 $result = $preProcessor->process($stream, $metadata);
116
117 $this->assertSame(ProcessingStatus::OK, $result->getCode());
118 $this->assertNotSame(ProcessingStatus::REJECTED, $result->getCode());
119 $this->assertSame('SVG OK', $result->getMessage());
120 }
121
122 public static function provideSomeComplexSaneSVG(): \Iterator
123 {
124 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/bigplay.svg'];
125 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/nav/jstree.svg'];
126 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/loader.svg'];
127 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/col.svg'];
128 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/logo/HeaderIcon.svg'];
129 yield [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/answered_not.svg'];
130 }
131
132 #[DataProvider('provideSomeComplexSaneSVG')]
133 public function testSomeComplexSaneSVG(string $path): void
134 {
135 $this->assertFileExists($path);
136 $svg = file_get_contents($path);
137
138 $preProcessor = $this->getPreProcessor();
139 $stream = Streams::ofString($svg);
140 $metadata = new Metadata('media/bigplay.svg', 100, 'image/svg+xml');
141
142 $result = $preProcessor->process($stream, $metadata);
143
144 $this->assertSame('SVG OK', $result->getMessage());
145 $this->assertSame(ProcessingStatus::OK, $result->getCode());
146 $this->assertNotSame(ProcessingStatus::REJECTED, $result->getCode());
147 }
148}
ILIAS\FileUpload\Processor\SVGPreProcessorTest\testMaliciousSVG
testMaliciousSVG(string $malicious_svg, string $type)
Definition: SVGPreProcessorTest.php:91
ILIAS\Filesystem\Stream\Streams
Stream factory which enables the user to create streams without the knowledge of the concrete class.
Definition: Streams.php:32
ILIAS\Filesystem\Stream\Streams\ofString
static ofString(string $string)
Creates a new stream with an initial value.
Definition: Streams.php:41
$path
$path
Definition: ltiservices.php:30
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19