BUGFIX: Sanitize uploaded svg files for suspicious contents

Adding an internal method `sanitizeImportedFileContent` to the resourceManager which is called for every imported resource. If suspicious content was removed from a warning is logged that which mentions the remove date and line. The sanitizing is done using "enshrined/svg-sanitize" that is used by other cms aswell. The initial implementation will only sanitize SVG files as those can contain malicious scripts. In future this should be expanded to a feature that allows registering of custom sanitizing functions. To create the centralized filter the implementation of `ResourceManager->importResource` was changed to read the file content and delegate the rest of the work to `ResourceManager->importResourceFromContent` which is the responsible for calling `ResourceManager->sanitizeImportedFileContent`.
neos · Sep 22, 2023 · b1ff96e · b1ff96e
1 parent 848edb4
commit b1ff96e
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 22 deletions.
diff --git a/Neos.Flow/Classes/ResourceManagement/ResourceManager.php b/Neos.Flow/Classes/ResourceManagement/ResourceManager.php
@@ -11,10 +11,12 @@
  * source code.
  */
 
+use enshrined\svgSanitize\Sanitizer;
 use Neos\Flow\Annotations as Flow;
 use Neos\Flow\Log\Utility\LogEnvironment;
 use Neos\Flow\ObjectManagement\ObjectManagerInterface;
 use Neos\Flow\Persistence\PersistenceManagerInterface;
+use Neos\Utility\MediaTypes;
 use Neos\Utility\ObjectAccess;
 use Neos\Flow\ResourceManagement\Storage\StorageInterface;
 use Neos\Flow\ResourceManagement\Storage\WritableStorageInterface;
@@ -151,30 +153,21 @@ protected function initialize()
      */
     public function importResource($source, $collectionName = ResourceManager::DEFAULT_PERSISTENT_COLLECTION_NAME, $forcedPersistenceObjectIdentifier = null)
     {
-        $this->initialize();
-        if (!isset($this->collections[$collectionName])) {
-            throw new Exception(sprintf('Tried to import a file into the resource collection "%s" but no such collection exists. Please check your settings and the code which triggered the import.', $collectionName), 1375196643);
-        }
-
-        /* @var CollectionInterface $collection */
-        $collection = $this->collections[$collectionName];
-
-        try {
-            $resource = $collection->importResource($source);
-            if ($forcedPersistenceObjectIdentifier !== null) {
-                ObjectAccess::setProperty($resource, 'Persistence_Object_Identifier', $forcedPersistenceObjectIdentifier, true);
+        if (is_resource($source)) {
+            $content = stream_get_contents($source);
+            $filename = '';
+            if ($content === false) {
+                throw new Exception('Could not import the content stream as resource.', 1695390671);
             }
-            if (!is_resource($source)) {
-                $pathInfo = UnicodeFunctions::pathinfo($source);
-                $resource->setFilename($pathInfo['basename']);
+        } else {
+            $content = file_get_contents($source);
+            /** @var string $filename */
+            $filename = UnicodeFunctions::pathinfo($source, PATHINFO_FILENAME);
+            if ($content === false) {
+                throw new Exception(sprintf('Could not read the file from "%s" as resource.', $source), 1695390671);
             }
-        } catch (Exception $exception) {
-            throw new Exception(sprintf('Importing a file into the resource collection "%s" failed: %s', $collectionName, $exception->getMessage()), 1375197120, $exception);
         }
-
-        $this->resourceRepository->add($resource);
-        $this->logger->debug(sprintf('Successfully imported file "%s" into the resource collection "%s" (storage: %s, a %s. SHA1: %s)', $source, $collectionName, $collection->getStorage()->getName(), get_class($collection), $resource->getSha1()));
-        return $resource;
+        return $this->importResourceFromContent($content, $filename, $collectionName, $forcedPersistenceObjectIdentifier);
     }
 
     /**
@@ -206,6 +199,8 @@ public function importResourceFromContent($content, $filename, $collectionName =
             throw new Exception(sprintf('Tried to import a file into the resource collection "%s" but no such collection exists. Please check your settings and the code which triggered the import.', $collectionName), 1380878131);
         }
 
+        $content = $this->sanitizeImportedFileContent($filename, $content);
+
         /* @var CollectionInterface $collection */
         $collection = $this->collections[$collectionName];
 
@@ -608,6 +603,35 @@ protected function initializeCollections()
         }
     }
 
+    /**
+     * Sanitize file content and remove content that is suspicious
+     * for now this only checks svg file to solve the issue here https://nvd.nist.gov/vuln/detail/CVE-2023-37611
+     *
+     * @todo create a feature from this and allow to register code for sanitizing file content before importing
+     */
+    protected function sanitizeImportedFileContent(string $filename, string $content): string
+    {
+        $typeFromFilename = MediaTypes::getMediaTypeFromFilename($content);
+        $typeFromContent = MediaTypes::getMediaTypeFromFileContent($content);
+        if ($typeFromFilename === 'image/svg+xml' || $typeFromContent === 'image/svg+xml') {
+            // @todo: Simplify again when https://github.com/darylldoyle/svg-sanitizer/pull/90 is merged and released.
+            $previousXmlErrorHandling = libxml_use_internal_errors(true);
+            $sanitizer = new Sanitizer();
+            $sanitizedContent = $sanitizer->sanitize($content);
+            libxml_clear_errors();
+            libxml_use_internal_errors($previousXmlErrorHandling);
+            $issues = $sanitizer->getXmlIssues();
+            if ($issues && count($issues) > 0) {
+                if ($sanitizedContent === false) {
+                    throw new Exception('Sanitizing of suspicious file "' . $filename . '" failed during import.', 1695395560);
+                }
+                $content = $sanitizedContent;
+                $this->logger->warning(sprintf('Imported file "%s" contained suspicious content and was sanitized.', $filename), $issues);
+            }
+        }
+        return $content;
+    }
+
     /**
      * Prepare an uploaded file to be imported as resource object. Will check the validity of the file,
      * move it outside of upload folder if open_basedir is enabled and check the filename.

diff --git a/Neos.Flow/composer.json b/Neos.Flow/composer.json
@@ -51,7 +51,8 @@
 
         "composer/composer": "^2.2.8",
 
-        "egulias/email-validator": "^2.1.17 || ^3.0"
+        "egulias/email-validator": "^2.1.17 || ^3.0",
+        "enshrined/svg-sanitize": "^0.16.0"
     },
     "require-dev": {
         "vimeo/psalm": "~4.30.0",

diff --git a/composer.json b/composer.json
@@ -32,6 +32,7 @@
         "neos/composer-plugin": "^2.0",
         "composer/composer": "^2.2.8",
         "egulias/email-validator": "^2.1.17 || ^3.0",
+        "enshrined/svg-sanitize": "^0.16.0",
         "typo3fluid/fluid": "~2.7.0",
         "guzzlehttp/psr7": "^1.8.4",
         "ext-mbstring": "*"