improve svg sanitization

Author: selul

composer.json

@@ -55,6 +55,7 @@
   "require": {
     "php": ">=7.4",
     "codeinwp/themeisle-sdk": "^3.3",
-    "codeinwp/optimole-sdk": "^1.0"
+    "codeinwp/optimole-sdk": "^1.0",
+    "enshrined/svg-sanitize": "^0.18.0"
   }
 }

composer.lock

@@ -10,6 +10,7 @@
  * @author     Optimole <[email protected]>
  */
 
+use enshrined\svgSanitize\Sanitizer;
 /**
  * Class Optml_Admin
  */
@@ -87,12 +88,105 @@ public function __construct() {
 				'upload_mimes',
 				[
 					$this,
-					'allow_meme_types',
+					'allow_svg',
 				]
 			); // phpcs:ignore WordPressVIPMinimum.Hooks.RestrictedHooks.upload_mimes
+			add_filter( 'wp_handle_upload_prefilter', [ $this, 'check_svg_and_sanitize' ] );
 		}
 	}
+	/**
+	 * Check if the file is an SVG, if so handle appropriately
+	 *
+	 * @param array $file An array of data for a single file.
+	 *
+	 * @return mixed
+	 */
+	public function check_svg_and_sanitize( $file ) {
+		// Ensure we have a proper file path before processing.
+		if ( ! isset( $file['tmp_name'] ) ) {
+			return $file;
+		}
+
+		$file_name   = isset( $file['name'] ) ? $file['name'] : '';
+		$wp_filetype = wp_check_filetype_and_ext( $file['tmp_name'], $file_name );
+		$type        = ! empty( $wp_filetype['type'] ) ? $wp_filetype['type'] : '';
+
+		if ( 'image/svg+xml' === $type ) {
+			if ( ! current_user_can( 'upload_files' ) ) {
+				$file['error'] = 'Invalid';
+				return $file;
+			}
+
+			if ( ! $this->sanitize_svg( $file['tmp_name'] ) ) {
+				$file['error'] = 'Invalid';
+			}
+		}
+
+		return $file;
+	}
+
+	/**
+	 * Sanitize the SVG
+	 *
+	 * @param string $file Temp file path.
+	 *
+	 * @return bool|int
+	 */
+	protected function sanitize_svg( $file ) {
+		// We can ignore the phpcs warning here as we're reading and writing to the Temp file.
+		$dirty = file_get_contents( $file ); // phpcs:ignore
+
+		// Is the SVG gzipped? If so we try and decode the string.
+		$is_zipped = $this->is_gzipped( $dirty );
+		if ( $is_zipped && ( ! function_exists( 'gzdecode' ) || ! function_exists( 'gzencode' ) ) ) {
+			return false;
+		}
 
+		if ( $is_zipped ) {
+			$dirty = gzdecode( $dirty );
+
+			// If decoding fails, bail as we're not secure.
+			if ( false === $dirty ) {
+				return false;
+			}
+		}
+
+		$sanitizer = new Sanitizer();
+		$clean     = $sanitizer->sanitize( $dirty );
+
+		if ( false === $clean ) {
+			return false;
+		}
+
+		// If we were gzipped, we need to re-zip.
+		if ( $is_zipped ) {
+			$clean = gzencode( $clean );
+		}
+
+		// We can ignore the phpcs warning here as we're reading and writing to the Temp file.
+		file_put_contents( $file, $clean ); // phpcs:ignore
+
+		return true;
+	}
+
+	/**
+	 * Check if the contents are gzipped
+	 *
+	 * @see http://www.gzip.org/zlib/rfc-gzip.html#member-format
+	 *
+	 * @param string $contents Content to check.
+	 *
+	 * @return bool
+	 */
+	protected function is_gzipped( $contents ) {
+		// phpcs:disable Generic.Strings.UnnecessaryStringConcat.Found
+		if ( function_exists( 'mb_strpos' ) ) {
+			return 0 === mb_strpos( $contents, "\x1f" . "\x8b" . "\x08" );
+		} else {
+			return 0 === strpos( $contents, "\x1f" . "\x8b" . "\x08" );
+		}
+		// phpcs:enable
+	}
 	/**
 	 * Schedules the hourly cron that starts the querying for images alt/title attributes
 	 *
@@ -1824,7 +1918,7 @@ private function get_dashboard_strings() {
 	 * @access public
 	 * @uses filter:upload_mimes
 	 */
-	public function allow_meme_types( $mimes ) {
+	public function allow_svg( $mimes ) {
 		$mimes['svg'] = 'image/svg+xml';
 
 		return $mimes;