testcases updated, fast fail added

bgalek · bgalek · commit 3d7925e5e1bc · 2020-08-25T22:26:54.000+02:00
diff --git a/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java b/src/main/java/com/github/bgalek/security/svg/SvgSecurityValidator.java
@@ -6,9 +6,11 @@
 
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 /**
  * SVG Safe is a very simple and lightweight library that helps
@@ -20,6 +22,8 @@
  */
 public class SvgSecurityValidator implements XssDetector {
 
+    private static final Pattern JAVASCRIPT_PROTOCOL_IN_CSS_URL = Pattern.compile("url\\(.?javascript");
+
     /**
      * This is the main method that handles svg file validation
      *
@@ -40,6 +44,7 @@ public ValidationResult validate(byte[] input) {
     }
 
     private static Set<String> getOffendingElements(String xml) {
+        if (JAVASCRIPT_PROTOCOL_IN_CSS_URL.matcher(xml).find()) return Collections.singleton("style");
         PolicyFactory policy = new HtmlPolicyBuilder()
                 .allowElements(SVG_ELEMENTS)
                 .allowStyling()
@@ -303,7 +308,10 @@ private static Set<String> getOffendingElements(String xml) {
             "x",
             "x1",
             "x2",
+            "xlink:href",
             "xmlns",
+            "xml:space",
+            "xmlns:xlink",
             "y",
             "y1",
             "y2",
diff --git a/src/test/java/com/github/bgalek/security/svg/SvgSecurityValidatorTest.java b/src/test/java/com/github/bgalek/security/svg/SvgSecurityValidatorTest.java
@@ -1,12 +1,16 @@
 package com.github.bgalek.security.svg;
 
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.junit.jupiter.params.provider.ValueSource;
 
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.util.Collections;
 import java.util.Objects;
+import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -15,43 +19,53 @@
 class SvgSecurityValidatorTest {
 
     @ParameterizedTest(name = "validate {0} svg")
-    @ValueSource(strings = {"hacked/with-onclick-attribute.svg", "hacked/with-script-tag.svg", "hacked/with-script-tag-in-styles.svg"})
-    void shouldDetectXssInFiles(String file) {
+    @MethodSource("evilUseCases")
+    void shouldDetectXssInFiles(String file, String expectedOffendingElements) {
         ValidationResult detect = new SvgSecurityValidator().validate(loadFile(file));
-        assertEquals(1, detect.getOffendingElements().size());
         assertTrue(detect.hasViolations());
+        assertEquals(expectedOffendingElements, String.join(",", detect.getOffendingElements()));
     }
 
     @ParameterizedTest(name = "validate {0} svg")
     @ValueSource(strings = {"original/valid.svg"})
     void shouldNotDetectAnythingInValidFiles(String file) {
         ValidationResult detect = new SvgSecurityValidator().validate(loadFile(file));
-        assertEquals(0, detect.getOffendingElements().size());
         assertFalse(detect.hasViolations());
+        assertEquals(Collections.emptySet(), detect.getOffendingElements());
     }
 
     @ParameterizedTest(name = "validate {0} svg")
     @ValueSource(strings = {"original/valid.svg"})
     void shouldNotDetectAnythingInValidFilesUsingBytes(String file) {
         ValidationResult detect = new SvgSecurityValidator().validate(loadFile(file).getBytes());
-        assertEquals(0, detect.getOffendingElements().size());
         assertFalse(detect.hasViolations());
+        assertEquals(Collections.emptySet(), detect.getOffendingElements());
     }
 
     @ParameterizedTest(name = "validate {0} svg")
     @ValueSource(strings = {"broken/broken.csv.svg"})
     void shouldThrowExceptionWhenInputIsNotValidXml(String file) {
         ValidationResult detect = new SvgSecurityValidator().validate(loadFile(file));
-        assertEquals(0, detect.getOffendingElements().size());
         assertFalse(detect.hasViolations());
+        assertEquals(Collections.emptySet(), detect.getOffendingElements());
     }
 
     @ParameterizedTest(name = "validate {0} svg")
     @ValueSource(strings = {"broken/broken.png.svg"})
     void shouldThrowExceptionWhenInputIsBinaryType(String file) {
         ValidationResult detect = new SvgSecurityValidator().validate(loadFile(file).getBytes());
-        assertEquals(0, detect.getOffendingElements().size());
         assertFalse(detect.hasViolations());
+        assertEquals(Collections.emptySet(), detect.getOffendingElements());
+    }
+
+    private static Stream<Arguments> evilUseCases() {
+        return Stream.of(
+                Arguments.of("hacked/with-onclick-attribute.svg", "onclick"),
+                Arguments.of("hacked/with-script-tag.svg", "script"),
+                Arguments.of("hacked/with-script-tag-in-styles.svg", "script"),
+                Arguments.of("hacked/with-css-url-syntax.svg", "style"),
+                Arguments.of("hacked/with-xlink-injection.svg", "script")
+        );
     }
 
     private String loadFile(String fileName) {
diff --git a/src/test/resources/hacked/with-xlink-injection.svg b/src/test/resources/hacked/with-xlink-injection.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xlink:href="javascript:alert(1)">
+    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+    <script type="text/javascript">
+        alert('This app is probably vulnerable to XSS attacks!');
+    </script>
+</svg>
