Improve upload validation to check for dangerous attributes

tcms/kiwi_attachments/tests/test_validators.py

@@ -25,6 +25,19 @@ def test_uploading_svg_with_inline_script_should_fail(self, file_name):
             with self.assertRaisesRegex(Fault, message):
                 self.rpc_client.User.add_attachment("inline_javascript.svg", b64)
 
+    @parameterized.expand(
+        [
+            "svg_with_onload_attribute.svg",
+        ]
+    )
+    def test_uploading_svg_with_forbidden_attributes_should_fail(self, file_name):
+        with open(f"tests/ui/data/{file_name}", "rb") as svg_file:
+            b64 = base64.b64encode(svg_file.read()).decode()
+
+            message = str(_("File contains forbidden attribute:"))
+            with self.assertRaisesRegex(Fault, message):
+                self.rpc_client.User.add_attachment("image.svg", b64)
+
     def test_uploading_filename_ending_in_dot_exe_should_fail(self):
         message = str(_("Uploading executable files is forbidden"))
         with self.assertRaisesRegex(Fault, message):

tcms/kiwi_attachments/validators.py

@@ -7,6 +7,9 @@ def deny_uploads_containing_script_tag(uploaded_file):
         if chunk.lower().find(b"<script") > -1:
             raise ValidationError(_("File contains forbidden <script> tag"))
 
+        if chunk.lower().find(b"onload=") > -1:
+            raise ValidationError(_("File contains forbidden attribute:") + "onload")
+
 
 def deny_uploads_ending_in_dot_exe(uploaded_file):
     message = _("Uploading executable files is forbidden")