60 fix svg xcc vulnerability (#4660)

* Add domPurify * Sanitize svg files * Add is-svg package * Use isSvg package * Revert "Use isSvg package" This reverts commit 05014b51076505d8766ca8c4c3233f6563869b17. * Revert "Add is-svg package" This reverts commit ad3e206ea6b09c2579bd79ac570b69694936fb7b. * Code review returns
2024-03-26 16:10:45 +01:00
parent 279d99487c
commit ab028b8c22
3 changed files with 49 additions and 1 deletions
--- a/packages/twenty-server/src/engine/core-modules/file/file-upload/services/file-upload.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/file/file-upload/services/file-upload.service.ts
@ -2,6 +2,8 @@ import { Injectable } from '@nestjs/common';

 import sharp from 'sharp';
 import { v4 as uuidV4 } from 'uuid';
+import { JSDOM } from 'jsdom';
+import DOMPurify from 'dompurify';

 import { FileFolder } from 'src/engine/core-modules/file/interfaces/file-folder.interface';

@ -32,6 +34,25 @@ export class FileUploadService {
    });
  }

+  private _sanitizeFile({
+    file,
+    ext,
+    mimeType,
+  }: {
+    file: Buffer | Uint8Array | string;
+    ext: string;
+    mimeType: string | undefined;
+  }): Buffer | Uint8Array | string {
+    if (ext === 'svg' || mimeType === 'image/svg+xml') {
+      const window = new JSDOM('').window;
+      const purify = DOMPurify(window);
+
+      return purify.sanitize(file.toString());
+    }
+
+    return file;
+  }
+
  async uploadFile({
    file,
    filename,
@ -48,7 +69,7 @@ export class FileUploadService {
    const name = `${id}${ext ? `.${ext}` : ''}`;

    await this._uploadFile({
-      file,
+      file: this._sanitizeFile({ file, ext, mimeType }),
      filename: name,
      mimeType,
      fileFolder,