From bbb6a3335dbf49d4f38e9c0b41a1bab74bda3fce Mon Sep 17 00:00:00 2001 From: DarthSim Date: Wed, 11 Jan 2023 18:32:21 +0300 Subject: [PATCH] Remove all known unsafe attrs from SVG during sanitization; Add Content-Security-Policy header to response --- processing_handler.go | 2 + svg/svg.go | 2 +- svg/unsafe_attrs.go | 114 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 svg/unsafe_attrs.go diff --git a/processing_handler.go b/processing_handler.go index 67625b28..41bbeb4e 100644 --- a/processing_handler.go +++ b/processing_handler.go @@ -128,6 +128,8 @@ func respondWithImage(reqID string, r *http.Request, rw http.ResponseWriter, sta rw.Header().Set("X-Result-Height", resultData.Headers["X-Result-Height"]) } + rw.Header().Set("Content-Security-Policy", "script-src 'none'") + rw.Header().Set("Content-Length", strconv.Itoa(len(resultData.Data))) rw.WriteHeader(statusCode) rw.Write(resultData.Data) diff --git a/svg/svg.go b/svg/svg.go index 8c5fdf98..92a45faf 100644 --- a/svg/svg.go +++ b/svg/svg.go @@ -73,7 +73,7 @@ func Satitize(data *imagedata.ImageData) (*imagedata.ImageData, error) { } buf.Write(tdata) case xml.AttributeToken: - if strings.ToLower(string(l.Text())) == "onload" { + if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe { continue } buf.Write(tdata) diff --git a/svg/unsafe_attrs.go b/svg/unsafe_attrs.go new file mode 100644 index 00000000..3d747ca9 --- /dev/null +++ b/svg/unsafe_attrs.go @@ -0,0 +1,114 @@ +package svg + +var unsafeAttrs = map[string]struct{}{ + "onafterprint": {}, + "onafterscriptexecute": {}, + "onanimationcancel": {}, + "onanimationend": {}, + "onanimationiteration": {}, + "onanimationstart": {}, + "onauxclick": {}, + "onbeforecopy": {}, + "onbeforecut": {}, + "onbeforeinput": {}, + "onbeforeprint": {}, + "onbeforescriptexecute": {}, + "onbeforeunload": {}, + "onbegin": {}, + "onblur": {}, + "onbounce": {}, + "oncanplay": {}, + "oncanplaythrough": {}, + "onchange": {}, + "onclick": {}, + "onclose": {}, + "oncontextmenu": {}, + "oncopy": {}, + "oncuechange": {}, + "oncut": {}, + "ondblclick": {}, + "ondrag": {}, + "ondragend": {}, + "ondragenter": {}, + "ondragleave": {}, + "ondragover": {}, + "ondragstart": {}, + "ondrop": {}, + "ondurationchange": {}, + "onend": {}, + "onended": {}, + "onerror": {}, + "onfinish": {}, + "onfocus": {}, + "onfocusin": {}, + "onfocusout": {}, + "onfullscreenchange": {}, + "onhashchange": {}, + "oninput": {}, + "oninvalid": {}, + "onkeydown": {}, + "onkeypress": {}, + "onkeyup": {}, + "onload": {}, + "onloadeddata": {}, + "onloadedmetadata": {}, + "onloadend": {}, + "onloadstart": {}, + "onmessage": {}, + "onmousedown": {}, + "onmouseenter": {}, + "onmouseleave": {}, + "onmousemove": {}, + "onmouseout": {}, + "onmouseover": {}, + "onmouseup": {}, + "onmousewheel": {}, + "onmozfullscreenchange": {}, + "onpagehide": {}, + "onpageshow": {}, + "onpaste": {}, + "onpause": {}, + "onplay": {}, + "onplaying": {}, + "onpointerdown": {}, + "onpointerenter": {}, + "onpointerleave": {}, + "onpointermove": {}, + "onpointerout": {}, + "onpointerover": {}, + "onpointerrawupdate": {}, + "onpointerup": {}, + "onpopstate": {}, + "onprogress": {}, + "onratechange": {}, + "onrepeat": {}, + "onreset": {}, + "onresize": {}, + "onscroll": {}, + "onsearch": {}, + "onseeked": {}, + "onseeking": {}, + "onselect": {}, + "onselectionchange": {}, + "onselectstart": {}, + "onshow": {}, + "onstart": {}, + "onsubmit": {}, + "ontimeupdate": {}, + "ontoggle": {}, + "ontouchend": {}, + "ontouchmove": {}, + "ontouchstart": {}, + "ontransitioncancel": {}, + "ontransitionend": {}, + "ontransitionrun": {}, + "ontransitionstart": {}, + "onunhandledrejection": {}, + "onunload": {}, + "onvolumechange": {}, + "onwebkitanimationend": {}, + "onwebkitanimationiteration": {}, + "onwebkitanimationstart": {}, + "onwebkittransitionend": {}, + "onwheel": {}, +}