Skip to content
Permalink
Browse files Browse the repository at this point in the history
Strip onload attribute from SVG input
In order to prevent a remote code injection, the `onload` attribute needs to be removed from the SVG input as Puppeteer/Chromium will execute any code within it which could potentially be malicious.

Fixes #81
  • Loading branch information
neocotic committed May 29, 2022
1 parent 5e39f45 commit 7e6031a
Show file tree
Hide file tree
Showing 11 changed files with 21 additions and 15 deletions.
2 changes: 1 addition & 1 deletion package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion packages/convert-svg-core/package.json
Expand Up @@ -36,7 +36,7 @@
},
"dependencies": {
"chalk": "^4.1.2",
"cheerio": "^1.0.0-rc.10",
"cheerio": "^1.0.0-rc.11",
"commander": "^9.2.0",
"file-url": "^3.0.0",
"get-stdin": "^8.0.0",
Expand Down
26 changes: 13 additions & 13 deletions packages/convert-svg-core/src/Converter.js
Expand Up @@ -47,6 +47,7 @@ const _parseOptions = Symbol('parseOptions');
const _provider = Symbol('provider');
const _roundDimension = Symbol('roundDimension');
const _roundDimensions = Symbol('roundDimensions');
const _sanitize = Symbol('sanitize');
const _setDimensions = Symbol('setDimensions');
const _tempFile = Symbol('tempFile');
const _validate = Symbol('validate');
Expand Down Expand Up @@ -114,9 +115,7 @@ class Converter {

options = this[_parseOptions](options);

const output = await this[_convert](input, options);

return output;
return await this[_convert](input, options);
}

/**
Expand Down Expand Up @@ -191,11 +190,13 @@ class Converter {
input = Buffer.isBuffer(input) ? input.toString('utf8') : input;

const { provider } = this;
const svg = cheerio.default.html(cheerio.load(input, null, false)('svg'));
const svg = cheerio.default.html(this[_sanitize](cheerio.load(input, null, false)('svg')));

if (!svg) {
throw new Error('SVG element not found in input. Check the SVG input');
}

let html = '';
if (svg) {
html += `<!DOCTYPE html>
const html = `<!DOCTYPE html>
<html>
<head>
<base href="${options.baseUrl}">
Expand All @@ -207,9 +208,6 @@ html { background-color: ${provider.getBackgroundColor(options)}; }
</head>
<body>${svg}</body>
</html>`;
} else {
throw new Error('SVG element not found in input. Check the SVG input');
}

const page = await this[_getPage](html);

Expand All @@ -226,12 +224,10 @@ html { background-color: ${provider.getBackgroundColor(options)}; }

await page.setViewport(dimensions);

const output = await page.screenshot(Object.assign({
return await page.screenshot(Object.assign({
type: provider.getType(),
clip: Object.assign({ x: 0, y: 0 }, dimensions)
}, provider.getScreenshotOptions(options)));

return output;
}

async [_getDimensions](page, options) {
Expand Down Expand Up @@ -389,6 +385,10 @@ html { background-color: ${provider.getBackgroundColor(options)}; }
};
}

[_sanitize](svg) {
return svg.removeAttr('onload');
}

async [_setDimensions](page, dimensions) {
if (typeof dimensions.width !== 'number' && typeof dimensions.height !== 'number') {
return;
Expand Down
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions packages/convert-svg-test-helper/src/tests.json
Expand Up @@ -163,6 +163,11 @@
"file": "cve-2021-23631.svg",
"message": "should only read SVG element"
},
{
"name": "when SVG has onload attribute",
"file": "issue-81.svg",
"message": "should strip onload attribute"
},
{
"name": "when setting both baseFile and baseUrl options",
"file": "external-file.svg",
Expand Down
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file modified packages/convert-svg-to-jpeg/test/fixtures/expected/36.jpeg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified packages/convert-svg-to-jpeg/test/fixtures/expected/37.jpeg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 7e6031a

Please sign in to comment.