Comments (4)
@raushan3737 sure you can give it a try
from appsmith.
Hi @somangshu , @Nikhil-Nandagopal i would like to work on this ticket. Can i pick this issue.
from appsmith.
Hi @Nikhil-Nandagopal , @somangshu ,
In order to fix the bug, We have to ensure secure handling of SVG files in the application, we need a comprehensive approach to validate and sanitize SVG content to prevent any cyber attack like(Malicious code injection,Phishing etc).
Below are the approaches and detailed steps to achieve this:
Approach 1: Regex Testing for Malicious Content
Pros: Simple implementation.
Cons: May miss edge cases, leaving potential vulnerabilities as it will not be possible to check all the scenario to prevent malicious script.
Also, there will be a chance to get the wrongly formatted svg during sanitization using regex which might not be svg to render.
Approach 2: Comprehensive Validation and Sanitization
-
Identify Controllers and Services.
-
Validate Image Formats:
- Ensure the application correctly identifies and processes supported image formats (JPEG, PNG, ICO, SVG).
- Special attention should be given to SVG files due to their potential to contain malicious code.
- SVG Validation and Sanitization:
- Use a library for sanitizing SVG content to ensure it does not contain malicious HTML/JavaScript.
- Consider using OWASP Java HTML Sanitizer , which provides configurable policies to specify allowable content within SVG files & ensure removal of any malicious content in sanitization process. Also, this library is maintain by OWASP team which is the more reputed organization who define & follow the security policy in cyber domain so, we can go with this as we can get future updates also from them.
I feel second approach is more secure way to fix this bug, Should we proceed with approach 2 to use external library for sanitization?
Validation logic file: URL
Sanitization Method(Thinking to use like this):
from appsmith.
Hi @Nikhil-Nandagopal , @somangshu ,
While going through above approaches and testing them with multiple svg i found the below observations:
In Approach 2:
- While sanitization we may miss to cover some of the attributes,elements as svg might have various types of attributes, elements to build so, we may lost the actual svg or part of it while sanitization.
- Also, it will increase the jar size as we are thinking to use external library.
In Approach 1:
-
Instead of doing the sanitization we can just validate the svg if it passes the validation criteria we will allow that to upload on the server, else we can throw the AppsmithValidationException as please provide the valid svg file.
-
By this, we are not allowing user to upload malicious svg also, this implementation will not have much complexity as we are validating through regex pattern.
Snapshot:
from appsmith.
Related Issues (20)
- [Bug]: appsmith backup fails while taking backup
- [Feature]: Authentication method SAML and/or OIDC optional for business model HOT 1
- [Bug]: Cross referencing: On deleting a branch, and bringing it back in, lot of uncommitted changes show up HOT 1
- [Bug]: Canvas glitches when a modal widget is triggered from the entity explorer
- [Bug]: Canvas auto-scroll is not smooth
- [Bug]: Delay in loading modal widget name component when launched from the omnibar
- [Bug]: Cross referencing: Unable to see Response and Schema tabs in the shared app. HOT 1
- [Bug]: Before a git connected app completes loading, if we traverse to home page, we see an error toast 'Not Found'
- [Feature]: duckdb support
- Working on Flaky/Failure RBAC test - GroupRoles
- Working on Flaky/Failure RBAC test -CreatePermission HOT 1
- [Bug]: Cross referencing - on git importing an application, a first change to be committed is seen on master though no change was done
- [Bug]: Merging a branch has no affect on Rest APIs
- Context is not retained while changing app settings
- second
- [Bug]: UUID function not working as expected
- [Task]: Add support for JIRA integration HOT 1
- [Task]: Add support for JIRA integration HOT 3
- Cypress import remove for each file and provide common config
- chore: Fix typos in the codebase. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from appsmith.