[I] Archive Extraction Does Not Inspect or Sanitize SVG Files (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:20 -0700 


asf-tooling opened a new issue, #994:
URL: https://github.com/apache/tooling-trusted-releases/issues/994

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The archive extraction process extracts ALL file types without SVG 
inspection. SVG is absent from the detection module's `_EXPECTED` dictionary 
which covers 18 file extension categories but omits image formats entirely. 
Authenticated users can upload archives containing malicious `.svg` files which 
are extracted to disk unmodified. If any download, preview, or serving 
mechanism exposes these files to browsers, XSS is achievable.
   
   ### Details
   Affected files:
   - `atr/archives.py` lines 28-63, 39-47: Extraction without SVG filtering
   - `atr/detection.py` lines 26-49: No SVG in `_EXPECTED` dictionary
   
   The `detection.validate_directory()` function skips SVG files (not in 
`_EXPECTED`), leaving SVG on disk with full scriptable content. Malicious SVG 
files in release archives pass all validation undetected.
   
   ### Recommended Remediation
   1. Add SVG to detection module: Include `.svg` in `_EXPECTED` dictionary 
with `_SVG_TYPES` set to `{'image/svg+xml'}`
   2. Implement `_validate_svg_file()` function in `detection.py` to check SVG 
files for dangerous scriptable content during `validate_directory()`
   3. Use regex patterns to detect:
      - `<script` tags
      - `<foreignObject` tags
      - Event handler attributes (`on*=`)
      - `javascript:` URIs
   4. Reject or quarantine SVG files containing these dangerous patterns
   
   ### Acceptance Criteria
   - [ ] SVG files are recognized in detection module
   - [ ] Dangerous SVG content is detected during archive validation
   - [ ] Malicious SVG files are rejected or quarantined
   - [ ] Unit tests verify dangerous SVG patterns are caught
   
   ### References
   - Source reports: L2:1.3.4.md
   - Related findings: FINDING-078
   - ASVS sections: 1.3.4
   
   ### Priority
   Medium
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to