From 8816bd30c36940a0ffd374fb996978932248395d Mon Sep 17 00:00:00 2001 From: theworstcomrade <4lbercik@gmail.com> Date: Thu, 18 Nov 2021 23:02:04 +0100 Subject: [PATCH] Document - fix stored xss https://huntr.dev/bounties/99c4ed09-b66f-474a-bd74-eeccf9339fde/ --- app/Libraries/HTMLUtils.php | 12 ------------ app/Models/Document.php | 5 +---- app/Ninja/Repositories/DocumentRepository.php | 9 --------- composer.json | 1 - 4 files changed, 1 insertion(+), 26 deletions(-) diff --git a/app/Libraries/HTMLUtils.php b/app/Libraries/HTMLUtils.php index 51dcf9b896..3fc7b5957b 100644 --- a/app/Libraries/HTMLUtils.php +++ b/app/Libraries/HTMLUtils.php @@ -4,7 +4,6 @@ namespace App\Libraries; use HTMLPurifier; use HTMLPurifier_Config; -use enshrined\svgSanitize\Sanitizer; class HTMLUtils { @@ -75,15 +74,4 @@ class HTMLUtils return env($key, env($field, $default)); } - - public static function sanitizeSVG($svg) - { - try { - $sanitizer = new Sanitizer(); - - return $sanitizer->sanitize($svg); - } catch(\Exception $e) { - return ""; - } - } } diff --git a/app/Models/Document.php b/app/Models/Document.php index 9d570882d2..4aebfab1bf 100644 --- a/app/Models/Document.php +++ b/app/Models/Document.php @@ -43,7 +43,7 @@ class Document extends EntityModel 'application/msword', 'application/excel', 'application/vnd.ms-excel', 'application/x-excel', 'application/x-msexcel', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/postscript', 'image/svg+xml', + 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/postscript', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/vnd.ms-powerpoint', ]; @@ -57,9 +57,6 @@ class Document extends EntityModel 'ai' => [ 'mime' => 'application/postscript', ], - 'svg' => [ - 'mime' => 'image/svg+xml', - ], 'jpeg' => [ 'mime' => 'image/jpeg', ], diff --git a/app/Ninja/Repositories/DocumentRepository.php b/app/Ninja/Repositories/DocumentRepository.php index cf48d34064..e470348a3a 100644 --- a/app/Ninja/Repositories/DocumentRepository.php +++ b/app/Ninja/Repositories/DocumentRepository.php @@ -7,7 +7,6 @@ use DB; use Form; use Intervention\Image\ImageManager; use Utils; -use App\Libraries\HTMLUtils; class DocumentRepository extends BaseRepository { @@ -84,14 +83,6 @@ class DocumentRepository extends BaseRepository return 'File too large'; } - if($documentType === 'svg') { - $stream = file_get_contents($filePath); - if(!($stream = HTMLUtils::sanitizeSVG($stream))) { - return 'Unsupported file type'; - } - file_put_contents($filePath, $stream); - } - // don't allow a document to be linked to both an invoice and an expense if (array_get($data, 'invoice_id') && array_get($data, 'expense_id')) { unset($data['expense_id']); diff --git a/composer.json b/composer.json index 46589d4c48..0fc0b42356 100644 --- a/composer.json +++ b/composer.json @@ -44,7 +44,6 @@ "digitickets/omnipay-realex": "~5.0", "doctrine/dbal": "2.6.x", "dompdf/dompdf": "0.6.2", - "enshrined/svg-sanitize": "^0.14.1", "ezyang/htmlpurifier": "~v4.7", "fotografde/omnipay-checkoutcom": "~2.0", "fruitcakestudio/omnipay-sisow": "~2.0",