From dd656298362758021560b9912d135730ea99a7ed Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 11 Dec 2019 16:28:35 +0200
Subject: [PATCH] SECURITY: Remove event handlers from SVG files

---
 lib/upload_creator.rb           |  1 +
 spec/lib/upload_creator_spec.rb | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index ab1fa9a4a8..4db456376c 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -277,6 +277,7 @@ class UploadCreator
   def whitelist_svg!
     doc = Nokogiri::XML(@file)
     doc.xpath(svg_whitelist_xpath).remove
+    doc.xpath("//@*[starts-with(name(), 'on')]").remove
     File.write(@file.path, doc.to_s)
     @file.rewind
   end
diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index b26d718307..09a0ddb9c0 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -247,4 +247,26 @@ RSpec.describe UploadCreator do
       end
     end
   end
+
+  describe '#whitelist_svg!' do
+    let(:file) do
+      file = Tempfile.new
+      file.write(<<~XML)
+        <?xml version="1.0" encoding="UTF-8"?>
+        <svg xmlns="http://www.w3.org/2000/svg" width="200px" height="200px" onload="alert(location)">
+        </svg>
+      XML
+      file.rewind
+      file
+    end
+
+    it 'removes event handlers' do
+      begin
+        UploadCreator.new(file, 'file.svg').whitelist_svg!
+        expect(file.read).not_to include('onload')
+      ensure
+        file.unlink
+      end
+    end
+  end
 end