Comments (6)
I've release 0.6.3 with additional logic that effectively strips all but a subset of the standard SVG element attributes which excludes event attributes and the src
attribute.
Please can you take another look and see if you can reproduce any remote code injection attacks with the latest version?
from convert-svg.
I think you should prevent it with whitelisted tag or attributes. No need to allow all the event handling attributes. There are a lots of event handling attributes at svg tag. For example, onload, onfocus, onerror, onstart, onend, ... etc.
Try look at this link. https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/Events
from convert-svg.
from convert-svg.
Thanks. I'll try to take a look at this ASAP but busy over the weekend so it might be next week.
I agree that an allow list is most likely the safest option so I'll try to take care that this is comprehensive and well documented. Additionally, I want to see if there's a way of inspecting SVG files loaded via src
instead of outright ignoring/rejecting that attribute, given that it currently circumvents existing protections. It'll likely ignored/rejected initially for safety but I hope to add support for it back if I can find a way of checking the resource loads via Puppeteer.
Thanks again for looking into this further.
from convert-svg.
Okay I will. By the way, this bug is assigned to CVE-2022-24429.
from convert-svg.
I found another issue, I will create new issue for this.
from convert-svg.
Related Issues (20)
- Support node 16 (update puppeteer) HOT 1
- The Edge Runtime support
- puppeteer params.width and params.height error
- Depends in a vulnerable version of lodash.pick
- Arabic characters displayed properly with small svg but not with large one HOT 1
- Support macOS with M1 HOT 3
- Can't run in loop quickly, fails to open chrome eventually HOT 3
- Remote Code Injection vulnerable HOT 11
- Remote Code Injection vulnerable HOT 3
- svg:first
- How to disable the sandbox with --no-sandbox? HOT 3
- v0.6.0 fails to convert mermaid SVGs properly
- Typescript support
- 0.6.0 produces dimmer renders than 0.5.0
- Failed converting when doing many in parallel HOT 1
- Fails to convert svg that contains emoji in a <text> tag
- convert-svg-to-png does not process extra parameters in CLI HOT 1
- Doesn't work in Docker Container (convert-svg-to-png) HOT 1
- Puppeteer options setup through CLI won't apply!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from convert-svg.