CVE-2022-24749

### Impact There is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be opened in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages. ### Patches The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above. ### Workarounds If there is a need to upload an SVG image type, on-upload sanitization has to be added. The way to achieve this is to require a library that will do the trick: ``` composer require enshrined/svg-sanitize ``` The second step is all about performing a file content sanitization before writing it to the filesystem. It can be done by overwriting the service: ```php <?php declare(strict_types=1); namespace App\Uploader; use enshrined\svgSanitize\Sanitizer; use Gaufrette\Filesystem; use Sylius\Component\Core\Generator\ImagePathGeneratorInterface; use Sylius\Component\Core\Generator\UploadedImagePathGenerator; use Sylius\Component\Core\Model\ImageInterface; use Sylius\Component\Core\Uploader\ImageUploaderInterface; use Symfony\Component\HttpFoundation\File\File; use Webmozart\Assert\Assert; final class ImageUploader implements ImageUploaderInterface { private const MIME_SVG_XML = 'image/svg+xml'; private const MIME_SVG = 'image/svg'; /** @var Filesystem */ protected $filesystem; /** @var ImagePathGeneratorInterface */ protected $imagePathGenerator; /** @var Sanitizer */ protected $sanitizer; public function __construct( Filesystem $filesystem, ?ImagePathGeneratorInterface $imagePathGenerator = null ) { $this->filesystem = $filesystem; if ($imagePathGenerator === null) { @trigger_error(sprintf( 'Not passing an $imagePathGenerator to %s constructor is deprecated since Sylius 1.6 and will be not possible in Sylius 2.0.', self::class ), \E_USER_DEPRECATED); } $this->imagePathGenerator = $imagePathGenerator ?? new UploadedImagePathGenerator(); $this->sanitizer = new Sanitizer(); } public function upload(ImageInterface $image): void { if (!$image->hasFile()) { return; } /** @var File $file */ $file = $image->getFile(); Assert::isInstanceOf($file, File::class); $fileContent = $this->sanitizeContent(file_get_contents($file->getPathname()), $file->getMimeType()); if (null !== $image->getPath() && $this->has($image->getPath())) { $this->remove($image->getPath()); } do { $path = $this->imagePathGenerator->generate($image); } while ($this->isAdBlockingProne($path) || $this->filesystem->has($path)); $image->setPath($path); $this->filesystem->write($image->getPath(), $fileContent); } public function remove(string $path): bool { if ($this->filesystem->has($path)) { return $this->filesystem->delete($path); } return false; } protected function sanitizeContent(string $fileContent, string $mimeType): string { if (self::MIME_SVG_XML === $mimeType || self::MIME_SVG === $mimeType) { $fileContent = $this->sanitizer->sanitize($fileContent); } return $fileContent; } private function has(string $path): bool { return $this->filesystem->has($path); } /** * Will return true if the path is prone to be blocked by ad blockers */ private function isAdBlockingProne(string $path): bool { return strpos($path, 'ad') !== false; } } ``` After that, register service in the container: ```yaml services: sylius.image_uploader: class: App\Uploader\ImageUploader arguments: - '@gaufrette.sylius_image_filesystem' - '@Sylius\Component\Core\Generator\ImagePathGeneratorInterface' ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) * Email us at [email protected]