I have an svg with this content:
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file://C:/WINDOWS/System32/drivers/etc/hosts" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg">
<foreignObject width="100%" height="100%">
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="font-size: 50px; line-height: 1.2;">
&xxe;
</div>
</body>
</foreignObject>
</svg>
I use this code to convert it:
var configuration = new Aspose.Html.Configuration();
//https://reference.aspose.com/html/net/aspose.html/sandbox/
configuration.Security |= Sandbox.Navigation;
configuration.Security |= Sandbox.AuxiliaryNavigation;
configuration.Security |= Sandbox.TopLevelNavigation;
configuration.Security |= Sandbox.Plugins;
configuration.Security |= Sandbox.Origin;
configuration.Security |= Sandbox.Forms;
configuration.Security |= Sandbox.Scripts;
configuration.Security |= Sandbox.PointerLock;
configuration.Security |= Sandbox.AutomaticFeatures;
configuration.Security |= Sandbox.Fullscreen;
configuration.Security |= Sandbox.DocumentDomain;
configuration.Security |= Sandbox.Images;
using (var document = new SVGDocument(svgPath, configuration))
{
var options = new ImageSaveOptions(Aspose.Html.Rendering.Image.ImageFormat.Png);
Converter.ConvertSVG(document, options, pngPath);
}
I get the content of my hosts file as output. Are there any security options or other settings I missed that could disable this behavior?
I would like to get either an empty image, an error or just the plain text that is available, but never the content of my hosts file.
@hihabyte
It appears that you are encountering an XML External Entity (XXE) injection vulnerability when converting SVG files using Aspose.Html. This can happen if the SVG parser is configured to allow external entities, which can lead to security risks such as unauthorized file access.
To mitigate this issue, you should ensure that the SVG parser is configured to disallow external entities. Unfortunately, the provided context does not specify any direct settings to disable XXE in Aspose.Html. However, here are some general recommendations you can follow:
-
Disable DTD Processing: If there is an option to disable DTD (Document Type Definition) processing in the configuration, make sure to enable it. This will prevent the parser from processing any external entities defined in the DTD.
-
Review Security Settings: While you have set various security options in your configuration, ensure that none of them inadvertently allow external entity processing. You may want to consult the Aspose.Html documentation for any specific flags related to XML security.
-
Use a Safe SVG Input: If possible, sanitize or validate the SVG input to ensure it does not contain any potentially harmful content before processing it.
-
Update Aspose.Html: Ensure you are using the latest version of Aspose.Html, as security vulnerabilities are often addressed in newer releases.
If you continue to experience issues, consider reaching out to Aspose support or checking their forums for any updates or patches related to this specific vulnerability.
For further details, you can refer to the official documentation or examples provided by Aspose.Html.
Sources:
[1]: SVG to Image Conversion Example
I’m on Aspose.HTML 24.12. I know I can sanitize the svg input myself, but I would have expected Aspose to do this for me.
@hihabyte
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.
Issue ID(s): HTMLNET-6083
You can obtain Paid Support Services if you need support on a priority basis, along with the direct access to our Paid Support management team.
The issues you have found earlier (filed as HTMLNET-6083) have been fixed in this update. This message was posted using Bugs notification tool by avpavlysh
@hihabyte
About the fix, we have simply chosen to ignore all such links.