FORMS-15852 xss security fix for svg upload in file attachment (#1462)

rajatofficial · rajatkhurana-adobe · web-flow · commit 6bbccfc82714 · 2024-10-28T13:30:04.000+05:30
* FORMS-15852 xss fix for svg upload in file upload

* FORMS-15852 xss fix for svg upload in file upload II

* FORMS-15852 xss fix for svg upload in file upload main

* FORMS-15852 xss fix for svg upload in file upload main II

* FORMS-15852 xss fix for svg upload in file upload main II

* FORMS-15852 xss fix for svg upload in file upload main II

---------

Co-authored-by: Rajat Khurana &lt;rajatkhurana@adobe.com&gt;
diff --git a/ui.frontend/src/view/FormFileInputWidgetBase.js b/ui.frontend/src/view/FormFileInputWidgetBase.js
@@ -14,8 +14,6 @@
  * limitations under the License.
  ******************************************************************************/
 
-import FormField from "./FormField"
-import FormFieldBase from "./FormFieldBase"
 
 /**
  * This class is responsible for interacting with the file input widget. It implements the file preview,
@@ -126,13 +124,25 @@ class FormFileInputWidgetBase {
             return index;
         }
 
+        static displaySVG(objectUrl) {
+            const url = objectUrl;
+            const img = document.createElement('img');
+            img.src = url;
+            const newTab = window.open('', '_blank', 'scrollbars=no,menubar=no,height=600,width=800,resizable=yes,toolbar=no,status=no');
+            newTab?.document?.body.appendChild(img);
+        }
+
         static previewFileUsingObjectUrl(file) {
             if (file) {
                 if (window.navigator && window.navigator.msSaveOrOpenBlob) { // for IE
                     window.navigator.msSaveOrOpenBlob(file, file.name);
                 } else {
                     let url = window.URL.createObjectURL(file);
-                    window.open(url, '', 'scrollbars=no,menubar=no,height=600,width=800,resizable=yes,toolbar=no,status=no');
+                    if (file.type === 'image/svg+xml') {
+                        this.displaySVG(url)
+                     } else {
+                        window.open(url, '', 'scrollbars=no,menubar=no,height=600,width=800,resizable=yes,toolbar=no,status=no');
+                     }
                     return url;
                 }
             }
@@ -149,7 +159,6 @@ class FormFileInputWidgetBase {
             }
             // this would work for dataURl or normal URL
             window.open(url, '', 'scrollbars=no,menubar=no,height=600,width=800,resizable=yes,toolbar=no,status=no');
-
         }
         // this function maintains a map for
         handleFilePreview (event){
diff --git a/ui.tests/test-module/libs/fixtures/sample.svg b/ui.tests/test-module/libs/fixtures/sample.svg
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+<rect width="24" height="24" fill="white"/>
+<script type="text/javascript">
+    function log() {
+      console.log('Custom logger called!');
+    }
+    window.onload = log;
+</script>
+<path d="M7 14.5L12 9.5L17 14.5" stroke="#000000" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>
diff --git a/ui.tests/test-module/libs/support/commands.js b/ui.tests/test-module/libs/support/commands.js
@@ -41,8 +41,8 @@
 // Cypress.Commands.overwrite("visit", (originalFn, url, options) => { ... })
 
 
-import { recurse } from 'cypress-recurse';
 import 'cypress-plugin-snapshots/commands';
+import { recurse } from 'cypress-recurse';
 
 const commons = require('../commons/commons'),
     siteSelectors = require('../commons/sitesSelectors'),
@@ -768,6 +768,7 @@ const mimeTypes = {
     'txt': 'text/plain',
     'bat': 'application/x-msdos-program',
     'msg': 'application/vnd.ms-outlook',
+    'svg': 'image/svg+xml',
     // Add more mappings as needed
 };
 
diff --git a/ui.tests/test-module/specs/fileinput/fileinputv2.runtime.cy.js b/ui.tests/test-module/specs/fileinput/fileinputv2.runtime.cy.js
@@ -229,6 +229,22 @@ describe("Form with File Input V-2 - Basic Tests", () => {
     //     cy.get('.cmp-adaptiveform-fileinput__filelist').eq(0).children().should('have.length', 0);
     })
 
+    it("check SVG upload and preview functionality", () => {
+        let sampleFileNames = ['sample.svg'];
+        const fileInput = "input[name='fileinput1']";
+        
+        cy.attachFile(fileInput, [sampleFileNames[0]]);
+        
+        checkFilePreviewInFileAttachment(fileInput);
+        
+        cy.get('.cmp-adaptiveform-fileinput__filelist')
+            .children()
+            .should('have.length', 1)
+            .and('contain.text', sampleFileNames[0]);
+
+        deleteSelectedFiles(fileInput, [sampleFileNames[0]]);
+    });
+
     it(`fielinput is disabled when readonly property is true`, () => {
         const fileInput5 =  "input[name='fileinput5']";
         cy.get(fileInput5).should("have.attr", "disabled", "disabled"); 
