Merge pull request #244 from KManolov3/fix/uepr-224-svg-vulnerabilities

Fix/uepr 224 svg vulnerabilities

Author: KManolov3

packages/scratch-svg-renderer/src/sanitize-svg.js

@@ -8,15 +8,17 @@ const DOMPurify = require('isomorphic-dompurify');
 
 const sanitizeSvg = {};
 
+const isInternalRef = ref => ref.startsWith('#') || ref.startsWith('data:');
+
 DOMPurify.addHook(
     'beforeSanitizeAttributes',
     currentNode => {
 
         if (currentNode && currentNode.href && currentNode.href.baseVal) {
             const href = currentNode.href.baseVal.replace(/\s/g, '');
             // "data:" and "#" are valid hrefs
-            if ((href.slice(0, 5) !== 'data:') && (href.slice(0, 1) !== '#')) {
-
+            if (!isInternalRef(href)) {
+                // TODO: Those can be in different namespaces than `xlink:`
                 if (currentNode.attributes.getNamedItem('xlink:href')) {
                     currentNode.attributes.removeNamedItem('xlink:href');
                     delete currentNode['xlink:href'];
@@ -27,6 +29,24 @@ DOMPurify.addHook(
                 }
             }
         }
+
+        // Remove url(...) usages with external references
+        if (currentNode && currentNode.attributes) {
+            for (let i = currentNode.attributes.length - 1; i >= 0; i--) {
+                const attr = currentNode.attributes[i];
+                const rawValue = attr.value || '';
+                const value = rawValue.toLowerCase().replace(/\s/g, '');
+        
+                const urlMatch = value.match(/url\((.+?)\)/);
+                if (urlMatch) {
+                    const ref = urlMatch[1].replace(/['"]/g, '');
+                    if (!isInternalRef(ref)) {
+                        currentNode.removeAttribute(attr.name);
+                    }
+                }
+            }
+        }
+    
         return currentNode;
     }
 );
@@ -37,13 +57,34 @@ DOMPurify.addHook(
         if (data.tagName === 'style') {
             const ast = parse(node.textContent);
             let isModified = false;
-            // Remove any @import rules as it could leak HTTP requests
+
             walk(ast, (astNode, item, list) => {
-                if (astNode.type === 'Atrule' && astNode.name === 'import') {
+                // @import rules
+                if (astNode.type === 'Atrule' && astNode.name.toLowerCase() === 'import') {
                     list.remove(item);
                     isModified = true;
                 }
+                
+                // Elements using url(...) for external resources
+                if (astNode.type === 'Declaration' && astNode.value) {
+                    let shouldRemove = false;
+                    walk(astNode.value, valueNode => {
+                        if (valueNode.type === 'Url') {
+                            const urlValue = (valueNode.value.value || '').trim().replace(/['"]/g, '');
+    
+                            if (!isInternalRef(urlValue)) {
+                                shouldRemove = true;
+                            }
+                        }
+                    });
+
+                    if (shouldRemove) {
+                        list.remove(item);
+                        isModified = true;
+                    }
+                }
             });
+
             if (isModified) {
                 node.textContent = generate(ast);
             }