Contrib.social

Filter SVGs before uploading by default

Open on Drupal.org β†’
Created on 17 December 2024, 4 months ago

Problem/Motivation

SVGs are very powerful tools. They can include malicious code. As part of robust protection against malicious uploads, Drupal could filter (sanitize) SVG files on upload.

In general Drupal handles input as:

  1. validate input to be appropriate for a field - e.g. is a number for a number field, filesize is within the limit - and lets the user fix any validation problems on the client side
  2. stores the original content provided by a user
  3. filters content on output to mitigate security attacks

However, that strategy isn't as appropriate in the case of public files since they are generally served directly by the webserver, avoiding a Drupal bootstrap, and, therefore, cannot be filtered by Drupal at the time of display.

Steps to reproduce

Upload a malicious SVG. Drupal accepts it and will let people download it and upload it to a new site.

Proposed resolution

Integrate a tool (perhaps SVG Sanitizer β†’ ) into the upload process.

Remaining tasks

Evaluate and decide on a tool for this purpose.
Add it.

User interface changes

TBD.

Introduced terminology

TBD.

API changes

TBD.

Data model changes

TBD.

Release notes snippet

TBD.

✨ Feature request
Status

Postponed

Version

11.1 πŸ”₯

Component

file system

Created by

πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @greggles
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Creating this as a postponed followup to #2868079: Add a default Content-Security-Policy-header for svg files β†’ to provide a more robust solution to a wider set of problems.

  • Comment 4 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone
  • Comment 4 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia
  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area

    One option, but not a very practical one, is to save SVG files as private files, not public. Then (somehow) Drupal could sanitize them on output.

    I think a better option is to provide a file validator using a suitable PHP library. Then site owners and contrib module maintainers would have the option of adding SVG validation to any field that allows uploading SVG files. We could recommend using it and add it to the Standard and/or Umami profiles. But site owners would have the freedom to use it or not.

    This option requires finding a suitable library that implements something like isSvgSafe(), returning bool. I have not researched such libraries.

    One concern I have heard is that new vulnerabilities might be discovered in SVG files. The library we use might be updated, preventing new uploads of malicious files, but that would not help if such files have already been uploaded. I think a good way to deal with that would be to provide a field formatter that returns a boolean (Safe or Unsafe). We could add that formatter to /admin/content/files. After updates to the SVG library, site owners could filter on that value to search for existing, unsafe SVG files.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024