Sanitize custom map SVGs (#16448)

https://github.com/librenms/librenms/security/advisories/GHSA-x8gm-j36p-fppf Will only sanitize new SVGs. If you have existing backgrounds, they will not be sanitized. XSS cannot be triggered within the LibreNMS UI, to trigger, you must directly visit the background image URL.
2024-10-07 16:52:45 +00:00 · 2024-09-29 08:17:21 -05:00
parent 36b38a50cc
commit d959bf1b36
3 changed files with 60 additions and 3 deletions
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "cfd22f9b26f539a6adc0ee571737bfcf",
+    "content-hash": "fee5d24447dced4397e26066f8c9ee59",
    "packages": [
        {
            "name": "amenadiel/jpgraph",
@@ -1175,6 +1175,51 @@
            ],
            "time": "2023-10-06T06:47:41+00:00"
        },
+        {
+            "name": "enshrined/svg-sanitize",
+            "version": "0.20.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/darylldoyle/svg-sanitizer.git",
+                "reference": "068d9fcf912c88a0471d101d95a2caa87c50aee7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/068d9fcf912c88a0471d101d95a2caa87c50aee7",
+                "reference": "068d9fcf912c88a0471d101d95a2caa87c50aee7",
+                "shasum": ""
+            },
+            "require": {
+                "ext-dom": "*",
+                "ext-libxml": "*",
+                "php": "^7.1 || ^8.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^6.5 || ^8.5"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "enshrined\\svgSanitize\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "GPL-2.0-or-later"
+            ],
+            "authors": [
+                {
+                    "name": "Daryll Doyle",
+                    "email": "daryll@enshrined.co.uk"
+                }
+            ],
+            "description": "An SVG sanitizer for PHP",
+            "support": {
+                "issues": "https://github.com/darylldoyle/svg-sanitizer/issues",
+                "source": "https://github.com/darylldoyle/svg-sanitizer/tree/0.20.0"
+            },
+            "time": "2024-09-05T10:18:12+00:00"
+        },
        {
            "name": "ezyang/htmlpurifier",
            "version": "v4.17.0",