Headline
CVE-2021-43842: fix: sanitize SVG uploads · Requarks/wiki@5d3e814
Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal <img> tags. Commit 5d3e81496fba1f0fbd64eeb855f30f69a9040718 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type. As a workaround, disable file upload for all non-trusted users. Wiki.js version 2.5.260 is the first production version to contain a patch. Version 2.5.258 is the first development build to contain a patch and is available only as a Docker image as requarks/wiki:canary-2.5.258.
@@ -142,6 +142,15 @@ :suffix=’$t(`admin:security.maxUploadBatchSuffix`)' style=’max-width: 450px;’ ) v-divider.mt-3 v-switch( inset label=’Scan and Sanitize SVG Uploads’ color=’primary’ v-model=’config.uploadScanSVG’ persistent-hint hint=’Should SVG uploads be scanned for vulnerabilities and stripped of any potentially unsafe content.’ )
v-card.mt-3.animated.fadeInUp.wait-p2s v-toolbar(flat, color=’primary’, dark, dense) @@ -242,6 +251,7 @@ export default { config: { uploadMaxFileSize: 0, uploadMaxFiles: 0, uploadScanSVG: true, securityOpenRedirect: true, securityIframe: true, securityReferrerPolicy: true, @@ -286,6 +296,7 @@ export default { $authJwtRenewablePeriod: String $uploadMaxFileSize: Int $uploadMaxFiles: Int $uploadScanSVG: Boolean $securityOpenRedirect: Boolean $securityIframe: Boolean $securityReferrerPolicy: Boolean @@ -307,6 +318,7 @@ export default { authJwtRenewablePeriod: $authJwtRenewablePeriod, uploadMaxFileSize: $uploadMaxFileSize, uploadMaxFiles: $uploadMaxFiles, uploadScanSVG: $uploadScanSVG securityOpenRedirect: $securityOpenRedirect, securityIframe: $securityIframe, securityReferrerPolicy: $securityReferrerPolicy, @@ -337,6 +349,7 @@ export default { authJwtRenewablePeriod: _.get(this.config, 'authJwtRenewablePeriod’, ‘’), uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize’, 0)), uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles’, 0)), uploadScanSVG: _.get(this.config, 'uploadScanSVG’, false), securityOpenRedirect: _.get(this.config, 'securityOpenRedirect’, false), securityIframe: _.get(this.config, 'securityIframe’, false), securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy’, false), @@ -388,6 +401,7 @@ export default { authJwtRenewablePeriod uploadMaxFileSize uploadMaxFiles uploadScanSVG securityOpenRedirect securityIframe securityReferrerPolicy