Skip to content

Simple and lightweight library that helps to validate SVG files in security manners.

License

Notifications You must be signed in to change notification settings

bgalek/safe-svg

Repository files navigation

SVG SECURITY

Simple and lightweight library that helps to validate SVG files in security manners.

Build Codecov GitHub Release Date Maven Central Libraries.io dependency status for GitHub repo Scrutinizer code quality Quality Gate Status

It will help you in detecting malicious content inside uploaded SVGs.

Are you aware that SVG can cause XSS?

Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.

Example

Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>

Usage

Add library dependency:

compile "com.github.bgalek.security.svg:safe-svg:1.1.4"

You can use this library to check uploaded svg files

SvgSecurityValidator svgSecurityValidator = SvgSecurityValidator.builder().build();
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
                "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
                "<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
                "<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
                "<script type=\"text/javascript\">\n" +
                "alert('Hello, world!');\n" +
                "</script>\n" +
                "</svg>";
        ValidationResult validation = svgSecurityValidator.validate(svg);
        if (validation.hasViolations()) {
            throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
        }

If you want to allow other (possibly non-safe) elements/attributes use

ValidationResult detect = SvgSecurityValidator.builder()
    .withAdditionalElements(elements)
    .withAdditionalAttributes(attributes)
    .build()
    .validate(testFile);