TryGhost · TeneBrae93 · Feb 2, 2024 · Feb 2, 2024 · Feb 2, 2024
diff --git a/ghost/core/core/server/web/api/middleware/upload.js b/ghost/core/core/server/web/api/middleware/upload.js
@@ -6,6 +6,8 @@ const errors = require('@tryghost/errors');
 const config = require('../../../../shared/config');
 const tpl = require('@tryghost/tpl');
 const logging = require('@tryghost/logging');
+const { JSDOM } = require('jsdom');
+const createDOMPurify = require('dompurify');
 
 const messages = {
     db: {
@@ -26,7 +28,7 @@ const messages = {
     },
     images: {
         missingFile: 'Please select an image.',
-        invalidFile: 'Please select a valid image.'
+        invalidFile: 'Unsupported file type. SVG files must not contain malicious content.'
     },
     icons: {
         missingFile: 'Please select an icon.',
@@ -49,7 +51,6 @@ const deleteSingleFile = file => fs.unlink(file.path).catch(err => logging.error
 
 const single = name => function singleUploadFunction(req, res, next) {
     const singleUpload = upload.single(name);
-
     singleUpload(req, res, (err) => {
         if (err) {
             return next(err);
@@ -60,11 +61,11 @@ const single = name => function singleUploadFunction(req, res, next) {
                 res.removeListener('close', deleteFiles);
                 if (!req.disableUploadClear) {
                     if (req.files) {
-                        return req.files.forEach(deleteSingleFile);
+                        req.files.forEach(deleteSingleFile);
                     }
 
                     if (req.file) {
-                        return deleteSingleFile(req.file);
+                        deleteSingleFile(req.file);
                     }
                 }
             };
@@ -85,22 +86,20 @@ const media = (fileName, thumbName) => function mediaUploadFunction(req, res, ne
         name: thumbName,
         maxCount: 1
     }]);
-
     mediaUpload(req, res, (err) => {
         if (err) {
             return next(err);
         }
-
         if (enabledClear) {
             const deleteFiles = () => {
                 res.removeListener('finish', deleteFiles);
                 res.removeListener('close', deleteFiles);
                 if (!req.disableUploadClear) {
                     if (req.files.file) {
-                        return req.files.file.forEach(deleteSingleFile);
+                        req.files.file.forEach(deleteSingleFile);
                     }
                     if (req.files.thumbnail) {
-                        return req.files.thumbnail.forEach(deleteSingleFile);
+                        req.files.thumbnail.forEach(deleteSingleFile);
                     }
                 }
             };
@@ -109,7 +108,6 @@ const media = (fileName, thumbName) => function mediaUploadFunction(req, res, ne
                 res.on('close', deleteFiles);
             }
         }
-
         next();
     });
 };
@@ -119,23 +117,28 @@ const checkFileExists = (fileData) => {
 };
 
 const checkFileIsValid = (fileData, types, extensions) => {
-    const type = fileData.mimetype;
+    const fileType = fileData.mimetype;
+    const fileExt = path.extname(fileData.name).toLowerCase();
+
+    // Adjust the logic to sanitize SVG files and accept them if sanitized
+    if (fileExt === '.svg') {
+        const window = new JSDOM('').window;
+        const dompurify = createDOMPurify(window);
+        const content = fs.readFileSync(fileData.path, 'utf8');
+        const sanitizedContent = dompurify.sanitize(content, {RETURN_TRUSTED_TYPE: false});
+
+        fs.writeFileSync(fileData.path, sanitizedContent, 'utf8');
 
-    if (types.includes(type) && extensions.includes(fileData.ext)) {
+        // Always return true as the file is sanitized before being validated
         return true;
+    } else if (!types.includes(fileType) || !extensions.includes(fileExt)) {
+        return false;
     }
 
-    return false;
+    return true;
 };
 
-/**
- *
- * @param {Object} options
- * @param {String} options.type - type of the file
- * @returns {Function}
- */
 const validation = function ({type}) {
-    // if we finish the data/importer logic, we forward the request to the specified importer
     return function uploadValidation(req, res, next) {
         const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
         const contentTypes = (config.get('uploads')[type] && config.get('uploads')[type].contentTypes) || [];
@@ -144,7 +147,6 @@ const validation = function ({type}) {
         req.file.name = req.file.originalname;
         req.file.type = req.file.mimetype;
 
-        // Check if a file was provided
         if (!checkFileExists(req.file)) {
             return next(new errors.ValidationError({
                 message: tpl(messages[type].missingFile)
@@ -153,23 +155,16 @@ const validation = function ({type}) {
 
         req.file.ext = path.extname(req.file.name).toLowerCase();
 
-        // Check if the file is valid
         if (!checkFileIsValid(req.file, contentTypes, extensions)) {
             return next(new errors.UnsupportedMediaTypeError({
-                message: tpl(messages[type].invalidFile, {extensions: extensions})
+                message: tpl(messages[type].invalidFile, {extensions: extensions.join(', ')})
             }));
         }
 
         next();
     };
 };
 
-/**
- *
- * @param {Object} options
- * @param {String} options.type - type of the file
- * @returns {Function}
- */
 const mediaValidation = function ({type}) {
     return function mediaUploadValidation(req, res, next) {
         const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
@@ -192,7 +187,7 @@ const mediaValidation = function ({type}) {
 
         if (!checkFileIsValid(req.file, contentTypes, extensions)) {
             return next(new errors.UnsupportedMediaTypeError({
-                message: tpl(messages[type].invalidFile, {extensions: extensions})
+                message: tpl(messages[type].invalidFile, {extensions: extensions.join(', ')})
             }));
         }
 
@@ -212,7 +207,7 @@ const mediaValidation = function ({type}) {
 
             if (!checkFileIsValid(req.thumbnail, thumbnailContentTypes, thumbnailExtensions)) {
                 return next(new errors.UnsupportedMediaTypeError({
-                    message: tpl(messages.thumbnail.invalidFile, {extensions: thumbnailExtensions})
+                    message: tpl(messages.thumbnail.invalidFile, {extensions: thumbnailExtensions.join(', ')})
                 }));
             }
         }

diff --git a/ghost/core/package.json b/ghost/core/package.json
@@ -192,9 +192,6 @@
     "intl": "1.2.5",
     "intl-messageformat": "5.4.3",
     "js-yaml": "4.1.0",
-    "jsdom": "22.1.0",
-    "json-stable-stringify": "1.1.1",
-    "jsonpath": "1.1.1",
     "jsonwebtoken": "8.5.1",
     "juice": "9.1.0",
     "keypair": "1.0.4",
@@ -221,7 +218,9 @@
     "ws": "8.16.0",
     "xml": "1.0.1",
     "y-protocols": "1.0.6",
-    "yjs": "13.6.11"
+    "yjs": "13.6.11",
+    "dompurify": "^2.3.4",
+    "jsdom": "^19.0.0"
   },
   "optionalDependencies": {
     "@sentry/profiling-node": "1.3.5",