Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15 - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #96901

closed

Upgrade enshrined/svg-sanitize to ^0.15

Added by Kevin Lange about 2 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Security

Target version:

Start date:

2022-02-15

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

7.4

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Currently roave/security-advisories prevents typo3 10.4.x from installing/upgrading due to a dependency on enshrined/svg-sanitize with a security vulnerability.

 - typo3/cms-core[v10.4.20, v10.4.21, v10.4.22, v10.4.23, v10.4.24, 10.4.x-dev] require enshrined/svg-sanitize ^0.14.1 -> satisfiable by enshrined/svg-sanitize[0.14.1].
.....
   - roave/security-advisories dev-latest conflicts with enshrined/svg-sanitize 0.14.1.

Possible solution:
Upgrade enshrined/svg-sanitize to 0.15.x

Further Information:
https://packagist.org/packages/enshrined/svg-sanitize links to https://github.com/darylldoyle/svg-sanitizer which contains an open issue (https://github.com/darylldoyle/svg-sanitizer/issues/71) regarding CVE-2022-23638 (https://nvd.nist.gov/vuln/detail/CVE-2022-23638)

Roave/SecurityAdvisories updated their constraints in a recent update:
https://github.com/Roave/SecurityAdvisories/commit/1032f0ce78ed92e983c17697eafd202ac5cbbca4

Related issues 3 (0 open — 3 closed)

Actions

Copy link

Updated by Gerrit Code Review about 2 years ago

Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Has duplicate Task #96902: Upgrade enshrined/svg-sanitize to ^0.15.0 added

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Subject changed from typo3/cms-core requires a version of enshrined/svg-sanitize with a security vulnerability to Upgrade enshrined/svg-sanitize to ^0.15
Assignee deleted (~~Oliver Hader~~)

Actions

Copy link

Updated by Oliver Hader about 2 years ago

Recent update of package enshrined/svg-sanitize v0.15.0 has been released during the weekend - unfortunately this has not been coordinated with other projects depending on this library. Currently, the explanation in corresponding advisory lacks describing the vulnerable scenario and the implications.

That's why I created a ticket, trying to come up with potential scenarios and requesting more details from the maintainer.
→ see https://github.com/darylldoyle/svg-sanitizer/issues/71

Thus, the current understanding is, that recent changes in enshrined/svg-sanitize addressed a cross-site scripting vulnerability when SVG is used inline, embedded in HTML content only. We're still waiting for approval and a potential update of the corresponding advisory.

Besides that, there has been a report by others about a potential regression after the update to v0.15.0 of the library - I've already created a corresponding PR addressing this regression - which has not been picked up by the maintainer, yet.
→ see https://github.com/darylldoyle/svg-sanitizer/issues/70
→ see https://github.com/darylldoyle/svg-sanitizer/pull/72

To overcome the failure message of roave/security-advisories as a work-around, there are basically two options in those custom projects:

upgrade the enshrined/svg-sanitize: composer req enshrined/svg-sanitize:^0.15 (taking the risk of being affected by the regression mentioned above)
disable (ignore) roave/security-advisories to perform updating other packages
- composer remove --dev roave/security-advisories
- perform your upgrades to other packages
- composer req --dev --no-update roave/security-advisories:dev-latest (without running updates)
- composer update --lock (just updating composer.lock file)
- NOTE: This is just a work-around!

In general enshrined/svg-sanitize is used in TYPO3 to avoid malicious file-uploads (e.g. logos or avatar images) being available via a public readable storage like https://example.org/fileadmin/evil-logo.svg.

References to earlier announcements concerning SVG-vulnerabilities:

Actions

Copy link

Updated by Anonymous about 2 years ago

Thanks for posting the workaround. Saved some headache!

Actions

Copy link

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Actions

Copy link

Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627

Actions

Copy link

Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628

Actions

Copy link

Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Actions

Copy link

#10

Updated by Gerrit Code Review about 2 years ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Actions

Copy link

#11