Restrict Internet Protocols for Linked Images

Do not allow use of Php propietary protocols to retrieve linked images. Restrict to http, https, ftp, file, and s3.

Author: oleibman

src/PhpSpreadsheet/Worksheet/Drawing.php

@@ -97,6 +97,9 @@ public function setPath(string $path, bool $verifyFile = true, ?ZipArchive $zip
         if ($verifyFile && preg_match('~^data:image/[a-z]+;base64,~', $path) !== 1) {
             // Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979
             if (filter_var($path, FILTER_VALIDATE_URL)) {
+                if (!preg_match('/^(http|https|file|ftp|s3):/', $path)) {
+                    throw new PhpSpreadsheetException('Invalid protocol for linked drawing');
+                }
                 $this->path = $path;
                 // Implicit that it is a URL, rather store info than running check above on value in other places.
                 $this->isUrl = true;

tests/PhpSpreadsheetTests/Reader/Html/HtmlImage2Test.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Reader\Html;
+
+use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
+use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
+use PHPUnit\Framework\TestCase;
+
+class HtmlImage2Test extends TestCase
+{
+    public function testCanInsertImageGoodProtocol(): void
+    {
+        if (getenv('SKIP_URL_IMAGE_TEST') === '1') {
+            self::markTestSkipped('Skipped due to setting of environment variable');
+        }
+        $imagePath = 'https://phpspreadsheet.readthedocs.io/en/latest/topics/images/01-03-filter-icon-1.png';
+        $html = '<table>
+                    <tr>
+                        <td><img src="' . $imagePath . '" alt="test image voilà"></td>
+                    </tr>
+                </table>';
+        $filename = HtmlHelper::createHtml($html);
+        $spreadsheet = HtmlHelper::loadHtmlIntoSpreadsheet($filename, true);
+        $firstSheet = $spreadsheet->getSheet(0);
+
+        /** @var Drawing $drawing */
+        $drawing = $firstSheet->getDrawingCollection()[0];
+        self::assertEquals($imagePath, $drawing->getPath());
+        self::assertEquals('A1', $drawing->getCoordinates());
+    }
+
+    public function testCannotInsertImageBadProtocol(): void
+    {
+        $this->expectException(SpreadsheetException::class);
+        $this->expectExceptionMessage('Invalid protocol for linked drawing');
+        $imagePath = 'httpx://phpspreadsheet.readthedocs.io/en/latest/topics/images/01-03-filter-icon-1.png';
+        $html = '<table>
+                    <tr>
+                        <td><img src="' . $imagePath . '" alt="test image voilà"></td>
+                    </tr>
+                </table>';
+        $filename = HtmlHelper::createHtml($html);
+        $spreadsheet = HtmlHelper::loadHtmlIntoSpreadsheet($filename, true);
+    }
+}

tests/PhpSpreadsheetTests/Reader/Xlsx/URLImageTest.php

@@ -4,6 +4,7 @@
 
 namespace PhpOffice\PhpSpreadsheetTests\Reader\Xlsx;
 
+use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
 use PhpOffice\PhpSpreadsheet\IOFactory;
 use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
 use PhpOffice\PhpSpreadsheetTests\Reader\Utility\File;
@@ -41,4 +42,14 @@ public function testURLImageSource(): void
             self::assertSame('png', $extension);
         }
     }
+
+    public function testURLImageSourceBadProtocol(): void
+    {
+        $filename = realpath(__DIR__ . '/../../../data/Reader/XLSX/urlImage.bad.xlsx');
+        self::assertNotFalse($filename);
+        $this->expectException(SpreadsheetException::class);
+        $this->expectExceptionMessage('Invalid protocol for linked drawing');
+        $reader = IOFactory::createReader('Xlsx');
+        $reader->load($filename);
+    }
 }