Issue #3064351 by larowlan, matt_paz, tsug0d, greggles: Pin composer.json to...

Issue #3064351 by larowlan, matt_paz, tsug0d, greggles: Pin composer.json to prevent installation of insecure versions of enshrined/svg-sanitize

composer.json

@@ -3,7 +3,7 @@
     "description": "Makes the SVG Sanitizer library available to Drupal",
     "type": "drupal-module",
     "require": {
-        "enshrined/svg-sanitize": "^0.7.1"
+        "enshrined/svg-sanitize": "^0.12.0"
     },
     "license": "GPL2+"
 }

tests/src/Kernel/SvgSanitizerFormatterTest.php

+<?php
+
+namespace Drupal\Tests\svg_sanitizer\Kernel;
+
+use Drupal\Core\Entity\Entity\EntityViewDisplay;
+use Drupal\Core\Render\RenderContext;
+use Drupal\Core\StreamWrapper\PublicStream;
+use Drupal\Core\Url;
+use Drupal\entity_test\Entity\EntityTest;
+use Drupal\field\Entity\FieldConfig;
+use Drupal\field\Entity\FieldStorageConfig;
+use Drupal\file\Entity\File;
+use Drupal\KernelTests\KernelTestBase;
+use enshrined\svgSanitize\data\AllowedAttributes;
+use enshrined\svgSanitize\data\AllowedTags;
+use Symfony\Component\DomCrawler\Crawler;
+
+/**
+ * Defines a class for testing svg sanitizer output.
+ *
+ * @group svg_sanitizer
+ */
+class SvgSanitizerFormatterTest extends KernelTestBase {
+
+  /**
+   * The test field name.
+   *
+   * @var string
+   */
+  protected $fieldName = 'field_test';
+
+  /**
+   * The entity type ID.
+   *
+   * @var string
+   */
+  protected $entityTypeId = 'entity_test';
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = [
+    'user',
+    'system',
+    'field',
+    'text',
+    'entity_test',
+    'field_test',
+    'svg_sanitizer',
+    'file',
+  ];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $this->installEntitySchema($this->entityTypeId);
+    $this->installEntitySchema('file');
+    $this->installSchema('file', ['file_usage']);
+
+    EntityViewDisplay::create([
+      'targetEntityType' => 'entity_test',
+      'bundle' => 'entity_test',
+      'mode' => 'default',
+    ])->save();
+    FieldStorageConfig::create([
+      'field_name' => $this->fieldName,
+      'entity_type' => $this->entityTypeId,
+      'type' => 'file',
+    ])->save();
+    FieldConfig::create([
+      'entity_type' => $this->entityTypeId,
+      'field_name' => $this->fieldName,
+      'bundle' => $this->entityTypeId,
+    ])->save();
+  }
+
+  /**
+   * Get and prepare the output of a field.
+   *
+   * @param string $url
+   *   The path to the file.
+   * @param array $settings
+   *   An array of formatter settings.
+   *
+   * @return string
+   *   The rendered prepared field output.
+   */
+  protected function getPreparedFieldOutput($filepath, array $settings) {
+    $file_system = \Drupal::service('file_system');
+    $file_system->copy($filepath, PublicStream::basePath());
+    $file = File::create([
+      'uri' => 'public://' . basename($filepath),
+    ]);
+    $file->save();
+    $entity = EntityTest::create();
+    $entity->{$this->fieldName} = $file;
+    $entity->save();
+
+    $field_output = $this->container->get('renderer')
+      ->executeInRenderContext(new RenderContext(), function () use ($entity, $settings) {
+        return $entity->{$this->fieldName}->view($settings);
+      });
+
+    return $this->stripWhitespace((string) $field_output[0]['#markup']);
+  }
+
+  /**
+   * Remove HTML whitespace from a string.
+   *
+   * @param string $string
+   *   The input string.
+   *
+   * @return string
+   *   The whitespace cleaned string.
+   */
+  protected function stripWhitespace($string) {
+    $no_whitespace = preg_replace('/\s{2,}/', '', $string);
+    $no_whitespace = str_replace("\n", '', $no_whitespace);
+    return $no_whitespace;
+  }
+
+  /**
+   * Tests formatter output.
+   *
+   * @param string $filepath
+   *   Filepath to SVG file, relative to drupal root.
+   * @param array $settings
+   *   Formatter settings.
+   * @param array $expect_removed
+   *   Removed selectors.
+   * @param array $expect_present
+   *   Present selectors.
+   *
+   * @dataProvider providerSanitizer
+   */
+  public function testSanitizer($filepath, array $settings, array $expect_removed, array $expect_present) {
+    $output = $this->getPreparedFieldOutput(DRUPAL_ROOT . $filepath, $settings);
+    $crawler = new Crawler($output);
+    foreach ($expect_removed as $removed) {
+      $this->assertEquals(0, $crawler->filter(sprintf('default|svg default|%s', $removed))->count(), sprintf('%s was removed', $removed));
+    }
+    foreach ($expect_present as $present) {
+      $this->assertGreaterThan(0, $crawler->filter(sprintf('default|svg default|%s', $present))->count(), sprintf('%s was found', $present));
+    }
+  }
+
+  /**
+   * Data provider.
+   *
+   * @return array
+   *   Test cases.
+   */
+  public function providerSanitizer() {
+    return [
+      'defaults' => [
+        '/vendor/enshrined/svg-sanitize/tests/data/svgTestOne.svg',
+        [
+          'type' => 'svg_sanitizer',
+          'settings' => [
+            'allowedattrs' => '',
+            'allowedtags' => '',
+          ],
+        ],
+        [
+          'this',
+          'script',
+          'line[onload]',
+        ],
+        [
+          'line[fill=none]',
+          'line[x1]',
+        ],
+      ],
+      'additional' => [
+        '/vendor/enshrined/svg-sanitize/tests/data/svgTestOne.svg',
+        [
+          'type' => 'svg_sanitizer',
+          'settings' => [
+            'allowedattrs' => '',
+            'allowedtags' => 'this',
+          ],
+        ],
+        [
+          'script',
+          'line[onload]',
+        ],
+        [
+          'this',
+          'line[fill=none]',
+          'line[x1]',
+        ],
+      ],
+    ];
+  }
+
+}