feat: sanitize SVGs even though only admins can upload them (#615)

* sanitize SVGs even though only admins can upload them

* move sanitization into its own function

Cargo.toml

@@ -96,6 +96,7 @@ serde_with = { version = "3.8.1", features = ["macros"] }
 spow = { version = "0.4", features = ["server"] }
 sqlx = { version = "0.8.2", features = ["macros", "migrate", "postgres", "runtime-tokio", "sqlite", "tls-rustls", "uuid"] }
 strum = { version = "0.26.3", features = ["derive"] }
+svg-hush = "0.9.4"
 time = { version = "0.3", features = ["formatting", "local-offset", "macros", "parsing", "serde"] }
 tracing = { version = "0.1", features = ["attributes"] }
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json", "tracing"] }

src/error/Cargo.toml

@@ -27,6 +27,7 @@ serde_json = { workspace = true }
 serde_json_path = { workspace = true }
 spow = { workspace = true }
 sqlx = { workspace = true }
+svg-hush = { workspace = true }
 time = { workspace = true }
 tracing = { workspace = true }
 tokio = { workspace = true }

src/error/src/error_impls.rs

@@ -16,6 +16,7 @@ use serde_json_path::ParseError;
 use spow::pow::PowError;
 use std::borrow::Cow;
 use std::string::FromUtf8Error;
+use svg_hush::FError;
 use time::OffsetDateTime;
 use tracing::{debug, error, trace};
 
@@ -473,3 +474,13 @@ impl From<ruma::client::Error<reqwest::Error, ruma::api::client::Error>> for Err
         )
     }
 }
+
+impl From<svg_hush::FError> for ErrorResponse {
+    fn from(value: FError) -> Self {
+        trace!("{:?}", value);
+        ErrorResponse::new(
+            ErrorResponseType::BadRequest,
+            format!("svg sanitization error: {:?}", value),
+        )
+    }
+}

src/models/Cargo.toml

@@ -69,6 +69,7 @@ serde_json_path = { workspace = true }
 serde_with = { workspace = true }
 spow = { workspace = true }
 sqlx = { workspace = true }
+svg-hush = { workspace = true }
 strum = { workspace = true }
 time = { workspace = true }
 tracing = { workspace = true }

src/models/src/entity/auth_providers.rs

@@ -1077,8 +1077,6 @@ impl AuthProviderCallback {
 pub struct AuthProviderTemplate {
     pub id: String,
     pub name: String,
-    // pub logo: Option<Vec<u8>>,
-    // pub logo_type: Option<String>,
 }
 
 impl AuthProviderTemplate {

src/models/src/entity/logos.rs

@@ -2,7 +2,7 @@ use crate::database::{Cache, DB};
 use actix_web::web;
 use hiqlite::{params, Param, Row};
 use image::imageops::FilterType;
-use image::ImageFormat;
+use image::{EncodableLayout, ImageFormat};
 use jwt_simple::prelude::{Deserialize, Serialize};
 use rauthy_common::constants::{
     CACHE_TTL_APP, CONTENT_TYPE_WEBP, IDX_AUTH_PROVIDER_LOGO, IDX_CLIENT_LOGO,
@@ -11,6 +11,7 @@ use rauthy_common::is_hiqlite;
 use rauthy_error::{ErrorResponse, ErrorResponseType};
 use sqlx::{query, query_as};
 use std::io::Cursor;
+use svg_hush::data_url_filter;
 use tracing::debug;
 
 // The default height a client logo will be resized to
@@ -204,7 +205,7 @@ impl Logo {
             id,
             res: LogoRes::Svg,
             content_type,
-            data: logo,
+            data: Self::sanitize_svg(&mut logo.as_bytes())?,
         };
         slf.upsert_self(typ, true).await
     }
@@ -452,4 +453,14 @@ impl Logo {
             LogoType::AuthProvider => format!("{}_{}", IDX_AUTH_PROVIDER_LOGO, id),
         }
     }
+
+    fn sanitize_svg(source: &mut [u8]) -> Result<Vec<u8>, ErrorResponse> {
+        let mut filter = svg_hush::Filter::new();
+        filter.set_data_url_filter(data_url_filter::allow_standard_images);
+
+        let mut sanitized = Vec::with_capacity(source.len());
+        filter.filter(&mut source.as_bytes(), &mut sanitized)?;
+
+        Ok(sanitized)
+    }
 }