0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-03-12 07:41:43 -05:00

🐛 Use safer defaults for xml parser.

This commit is contained in:
Andrey Antukh 2021-04-06 17:07:05 +02:00
parent 94a294e147
commit 4f20d22a4f
4 changed files with 17 additions and 6 deletions

View file

@ -137,7 +137,7 @@
[middleware/errors errors/handle]
[middleware/cookies]]}
["/svg" {:post svgparse}]
["/svg/parse" {:post svgparse}]
["/feedback" {:middleware [(:middleware session)]
:post feedback}]

View file

@ -12,6 +12,7 @@
[app.common.exceptions :as ex]
[app.metrics :as mtx]
[clojure.spec.alpha :as s]
[clojure.tools.logging :as log]
[clojure.xml :as xml]
[integrant.core :as ig])
(:import
@ -45,14 +46,24 @@
{:status 200
:body (process-request body)})
(defn secure-factory
[s ch]
(.. (doto (javax.xml.parsers.SAXParserFactory/newInstance)
(.setFeature javax.xml.XMLConstants/FEATURE_SECURE_PROCESSING true)
(.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
(newSAXParser)
(parse s ch)))
(defn parse
[data]
(try
(with-open [istream (IOUtils/toInputStream data "UTF-8")]
(xml/parse istream))
(catch Exception _e
(xml/parse istream secure-factory))
(catch Exception e
(log/warnf "error on processing svg: %s" (ex-message e))
(ex/raise :type :validation
:code :invalid-svg-file))))
:code :invalid-svg-file
:cause e))))
(defn process-request
[body]

View file

@ -396,7 +396,7 @@
(defn parse-svg [[name text]]
(->> (http/send! {:method :post
:uri "/api/svg"
:uri "/api/svg/parse"
:headers {"content-type" "image/svg+xml"}
:body text})
(rx/map (fn [{:keys [status body]}]

View file

@ -5,7 +5,7 @@
;; This Source Code Form is "Incompatible With Secondary Licenses", as
;; defined by the Mozilla Public License, v. 2.0.
;;
;; Copyright (c) 2020 UXBOX Labs SL
;; Copyright (c) UXBOX Labs SL
(ns app.main.repo
(:require