ILIAS  trunk Revision v11.0_alpha-1723-g8e69f309bab
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
SVGPreProcessorTest.php
Go to the documentation of this file.
1 <?php
2 
19 namespace ILIAS\FileUpload\Processor;
20 
21 use PHPUnit\Framework\Attributes\DataProvider;
22 
23 require_once('./vendor/composer/vendor/autoload.php');
24 
25 use PHPUnit\Framework\TestCase;
26 use ILIAS\FileUpload\DTO\Metadata;
27 use ILIAS\Filesystem\Stream\Streams;
28 use ILIAS\FileUpload\DTO\ProcessingStatus;
29 
33 class SVGPreProcessorTest extends TestCase
34 {
38  protected function getPreProcessor(): SVGBlacklistPreProcessor
39  {
40  return new SVGBlacklistPreProcessor(
41  'The SVG file contains malicious code.',
42  '(script)',
43  '(base64)',
44  ''
45  );
46  }
47 
48  public static function maliciousSVGProvider(): array
49  {
50  return [
51  [
52  '<svg width="100" height="100">
53  <foreignObject width="100%" height="100%">
54  <script>alert(document.domain);</script>
55  </foreignObject>
56 </svg>',
57  'script'
58  ],
59  [
60  '<svg width="100" height="100">
61  <foreignObject width="100%" height="100%" onclick="alert(document.domain);">
62 
63  </foreignObject>
64 </svg>',
65  'onclick'
66  ],
67  [
68  '<svg version="1.1" baseProfile="full"
69 xmlns="http://www.w3.org/2000/svg">
70 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
71 <script type="text/javascript">
72 alert("XSS in SVG on " + document.domain );
73 </script>
74 </svg>',
75  'script'
76  ],
77  [
78  '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
79 <use xlink:href="data:application/xml;base64 ,
80 PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r
81 PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I
82 jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm
83 FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r
84 aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC
85 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/>
86 </svg>',
87  'base64'
88  ]
89  ];
90  }
91 
92  #[DataProvider('maliciousSVGProvider')]
93  public function testMaliciousSVG(string $malicious_svg, string $type): void
94  {
95  $preProcessor = $this->getPreProcessor();
96  $stream = Streams::ofString($malicious_svg);
97  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
98 
99  $result = $preProcessor->process($stream, $metadata);
100 
101  $this->assertFalse($result->getCode() === ProcessingStatus::OK);
102  $this->assertTrue($result->getCode() === ProcessingStatus::DENIED);
103  $this->assertSame('The SVG file contains malicious code. (' . $type . ')', $result->getMessage());
104  }
105 
106  public function testSaneSVG(): void
107  {
108  $svg = '<svg version="1.1" baseProfile="full"
109 xmlns="http://www.w3.org/2000/svg">
110 <rect width="100" height="100" style="fill:rgb(0,0,255);" />
111 </svg>';
112 
113  $preProcessor = $this->getPreProcessor();
114  $stream = Streams::ofString($svg);
115  $metadata = new Metadata('test.svg', 100, 'image/svg+xml');
116 
117  $result = $preProcessor->process($stream, $metadata);
118 
119  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
120  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
121  $this->assertSame('SVG OK', $result->getMessage());
122  }
123 
124  public static function provideSomeComplexSaneSVG(): array
125  {
126  return [
127  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/bigplay.svg'],
128  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/nav/jstree.svg'],
129  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/media/loader.svg'],
130  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/col.svg'],
131  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/logo/HeaderIcon.svg'],
132  [__DIR__ . '/../../../../../components/ILIAS/UI/resources/images/object/answered_not.svg'],
133  ];
134  }
135 
136  #[DataProvider('provideSomeComplexSaneSVG')]
137  public function testSomeComplexSaneSVG(string $path): void
138  {
139  $this->assertTrue(file_exists($path));
140  $svg = file_get_contents($path);
141 
142  $preProcessor = $this->getPreProcessor();
143  $stream = Streams::ofString($svg);
144  $metadata = new Metadata('media/bigplay.svg', 100, 'image/svg+xml');
145 
146  $result = $preProcessor->process($stream, $metadata);
147 
148  $this->assertSame('SVG OK', $result->getMessage());
149  $this->assertTrue($result->getCode() === ProcessingStatus::OK);
150  $this->assertFalse($result->getCode() === ProcessingStatus::REJECTED);
151  }
152 }
$path
$path
Definition: ltiservices.php:29
ILIAS\FileUpload\Processor
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: AbstractRecursiveZipPreProcessor.php:19
ILIAS\Filesystem\Stream\Streams\ofString
static ofString(string $string)
Creates a new stream with an initial value.
Definition: Streams.php:41