asf-tooling opened a new issue, #993: URL: https://github.com/apache/tooling-trusted-releases/issues/993
**ASVS Level(s):** [L2-only] **Description:** ### Summary The entire codebase contains zero SVG sanitization logic — no library (e.g., bleach, DOMPurify, defusedxml, svg-sanitizer), no tag/attribute allowlist, and no function that strips dangerous SVG elements. If any current or future code path serves user-influenced SVG content to a browser, an attacker could embed `<script>`, `<foreignObject>`, or event handler attributes to achieve XSS. ### Details The application documents seven defense layers in `input-validation.md`, but none address SVG content sanitization. Jinja2 auto-escaping prevents injection in template variables but does not sanitize SVG files or SVG content embedded in served HTML. If downloads.apache.org or any code path serves SVG as `image/svg+xml` or inline in HTML, XSS is achievable. ### Recommended Remediation Create an SVG sanitization function using defusedxml or similar library: 1. Implement `sanitize_svg()` function in `atr/svg_sanitize.py` 2. Remove dangerous tags: `script`, `foreignObject`, `iframe`, `object`, `embed`, `set`, `animate` 3. Strip event handler attributes (`on*`) 4. Filter dangerous attribute values (`javascript:`, `data:text/html`) 5. Use SAFE_SVG_TAGS allowlist: `svg`, `g`, `path`, `circle`, `ellipse`, `line`, `polyline`, `polygon`, `rect`, `text`, `tspan`, `defs`, `use`, `symbol`, `clipPath`, `mask`, `pattern`, `linearGradient`, `radialGradient`, `stop`, `title`, `desc`, `metadata` ### Acceptance Criteria - [ ] SVG sanitization function exists and is tested - [ ] Dangerous SVG tags and attributes are removed - [ ] Sanitization is applied wherever SVG content may reach a browser - [ ] Unit tests verify dangerous SVG elements are stripped ### References - Source reports: L2:1.3.4.md - Related findings: FINDING-079 - ASVS sections: 1.3.4 ### Priority Medium --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
