Skip to content

Latest commit

 

History

History
68 lines (53 loc) · 3.02 KB

README.md

File metadata and controls

68 lines (53 loc) · 3.02 KB

SVG SECURITY

Simple and lightweight library that helps to validate SVG files in security manners.

Build Codecov GitHub Release Date Maven Central Libraries.io dependency status for GitHub repo Scrutinizer code quality Quality Gate Status

It will help you in detecting malicious content inside uploaded SVGs.

Are you aware that SVG can cause XSS?

Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.

Example

Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>

Usage

Add library dependency:

compile "com.github.bgalek.security.svg:safe-svg:1.1.4"

You can use this library to check uploaded svg files

SvgSecurityValidator svgSecurityValidator = SvgSecurityValidator.builder().build();
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
                "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
                "<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
                "<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
                "<script type=\"text/javascript\">\n" +
                "alert('Hello, world!');\n" +
                "</script>\n" +
                "</svg>";
        ValidationResult validation = svgSecurityValidator.validate(svg);
        if (validation.hasViolations()) {
            throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
        }

If you want to allow other (possibly non-safe) elements/attributes use

ValidationResult detect = SvgSecurityValidator.builder()
    .withAdditionalElements(elements)
    .withAdditionalAttributes(attributes)
    .build()
    .validate(testFile);