"""This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
|
"""
|
import io
|
|
import pytest
|
from data_import.models import FileUpload
|
from django.conf import settings
|
|
|
@pytest.mark.django_db
|
def test_svg_upload_sanitize(setup_project_dialog):
|
"""Upload malicious SVG file - remove harmful content"""
|
settings.SVG_SECURITY_CLEANUP = True
|
|
xml_dirty = """<?xml version="1.0" standalone="no"?>
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
<script type="text/javascript">alert(document.cookie);</script>
|
</svg>"""
|
|
f = io.StringIO(xml_dirty)
|
|
endpoint = f'/api/projects/{setup_project_dialog.project.id}/import?commit_to_project=true'
|
r = setup_project_dialog.post(endpoint, {'xss_svg.svg': f})
|
|
assert r.status_code == 201
|
|
expected = """<svg version="1.1" baseprofile="full" xmlns="http://www.w3.org/2000/svg">
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"></polygon>\n
|
</svg>\n"""
|
|
actual = FileUpload.objects.filter(id=r.data['file_upload_ids'][0]).last().file.read()
|
|
assert len(''.join(actual.decode('UTF-8').split())) > 100 # confirm not empty
|
|
assert ''.join(expected.split()) == ''.join(actual.decode('UTF-8').split())
|
|
|
@pytest.mark.django_db
|
def test_svg_upload_invalid_format(setup_project_dialog):
|
"""Upload invalid SVG file - still accepted"""
|
settings.SVG_SECURITY_CLEANUP = True
|
|
xml_dirty = """<?xml version="1.0" standalone="no"?>
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">gibberish</svg>"""
|
f = io.StringIO(xml_dirty)
|
|
endpoint = f'/api/projects/{setup_project_dialog.project.id}/import?commit_to_project=true'
|
r = setup_project_dialog.post(endpoint, {'xss_svg.svg': f})
|
|
assert r.status_code == 201
|
|
expected = """
|
<svgversion="1.1"baseprofile="full"xmlns="http://www.w3.org/2000/svg">gibberish</svg>
|
"""
|
|
actual = FileUpload.objects.filter(id=r.data['file_upload_ids'][0]).last().file.read()
|
|
assert ''.join(expected.split()) == ''.join(actual.decode('UTF-8').split())
|
|
|
@pytest.mark.django_db
|
def test_svg_upload_do_not_sanitize(setup_project_dialog):
|
"""Upload SVG file - do not sanitize file content"""
|
settings.SVG_SECURITY_CLEANUP = False
|
|
xml_dirty = """<?xml version="1.0" standalone="no"?>
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
<script type="text/javascript">alert(document.cookie);</script>
|
</svg>"""
|
|
f = io.StringIO(xml_dirty)
|
|
endpoint = f'/api/projects/{setup_project_dialog.project.id}/import?commit_to_project=true'
|
r = setup_project_dialog.post(endpoint, {'xss_svg.svg': f})
|
|
assert r.status_code == 201
|
|
actual = FileUpload.objects.filter(id=r.data['file_upload_ids'][0]).last().file.read()
|
|
assert ''.join(xml_dirty.split()) == ''.join(actual.decode('UTF-8').replace('\n', '').split())
|
