safe-svg

Simple and lightweight library that helps to validate SVG files in security manners.

APACHE-2.0 License

Stars
41
View Code on GitHub Visit Website
Ecosystems: Java

SVG SECURITY

Simple and lightweight library that helps to validate SVG files in security manners.

It will help you in detecting malicious content inside uploaded SVGs.

Are you aware that SVG can cause XSS?

Read https://sekurak.pl/pozwalasz-ladowac-pliki-svg-masz-xss-a/ for more details.

Example

Try to upload this SVG into your application, if it passes through and user can browse this file - probably You are vulnerable to XSS attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Hello, world!');
</script>
</svg>

Usage

Add library dependency:

compile "com.github.bgalek.security.svg:safe-svg:1.1.4"

You can use this library to check uploaded svg files

SvgSecurityValidator svgSecurityValidator = SvgSecurityValidator.builder().build();
String svg = "<?xml version=\"1.0\" standalone=\"no\"?>\n" +
                "<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\n" +
                "<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\n" +
                "<polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\n" +
                "<script type=\"text/javascript\">\n" +
                "alert('Hello, world!');\n" +
                "</script>\n" +
                "</svg>";
        ValidationResult validation = svgSecurityValidator.validate(svg);
        if (validation.hasViolations()) {
            throw new RuntimeException("this file is suspicious" + validation.getOffendingElements());
        }

If you want to allow other (possibly non-safe) elements/attributes use

ValidationResult detect = SvgSecurityValidator.builder()
    .withAdditionalElements(elements)
    .withAdditionalAttributes(attributes)
    .build()
    .validate(testFile);
Package Rankings
Top 36.2% on Repo1.maven.org
Badges
Extracted from project README
Build Quality Gate Status