3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-05-12 19:36:37 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'staging' into develop

Browse source
This commit is contained in:
Andrey Antukh 2021-04-06 20:09:00 +02:00
commit 46b55822dc
4 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
backend/src/app/http.clj
View file

@ -140,7 +140,7 @@
[middleware/errors errors/handle] [middleware/errors errors/handle]
[middleware/cookies]]} [middleware/cookies]]}
["/svg" {:post svgparse}] ["/svg/parse" {:post svgparse}]
["/feedback" {:middleware [(:middleware session)] ["/feedback" {:middleware [(:middleware session)]
:post feedback}] :post feedback}]

17
backend/src/app/svgparse.clj
View file

@ -12,6 +12,7 @@
[app.common.exceptions :as ex] [app.common.exceptions :as ex]
[app.metrics :as mtx] [app.metrics :as mtx]
[clojure.spec.alpha :as s] [clojure.spec.alpha :as s]
[clojure.tools.logging :as log]
[clojure.xml :as xml] [clojure.xml :as xml]
[integrant.core :as ig]) [integrant.core :as ig])
(:import (:import
@ -45,14 +46,24 @@
{:status 200 {:status 200
:body (process-request body)}) :body (process-request body)})
(defn secure-factory
[s ch]
(.. (doto (javax.xml.parsers.SAXParserFactory/newInstance)
(.setFeature javax.xml.XMLConstants/FEATURE_SECURE_PROCESSING true)
(.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true))
(newSAXParser)
(parse s ch)))
(defn parse (defn parse
[data] [data]
(try (try
(with-open [istream (IOUtils/toInputStream data "UTF-8")] (with-open [istream (IOUtils/toInputStream data "UTF-8")]
(xml/parse istream)) (xml/parse istream secure-factory))
(catch Exception _e (catch Exception e
(log/warnf "error on processing svg: %s" (ex-message e))
(ex/raise :type :validation (ex/raise :type :validation
:code :invalid-svg-file)))) :code :invalid-svg-file
:cause e))))
(defn process-request (defn process-request
[body] [body]

2
frontend/src/app/main/data/workspace/persistence.cljs
View file

@ -396,7 +396,7 @@
(defn parse-svg [[name text]] (defn parse-svg [[name text]]
(->> (http/send! {:method :post (->> (http/send! {:method :post
:uri "/api/svg" :uri "/api/svg/parse"
:headers {"content-type" "image/svg+xml"} :headers {"content-type" "image/svg+xml"}
:body text}) :body text})
(rx/map (fn [{:keys [status body]}] (rx/map (fn [{:keys [status body]}]

2
frontend/src/app/main/repo.cljs
View file

@ -5,7 +5,7 @@
;; This Source Code Form is "Incompatible With Secondary Licenses", as ;; This Source Code Form is "Incompatible With Secondary Licenses", as
;; defined by the Mozilla Public License, v. 2.0. ;; defined by the Mozilla Public License, v. 2.0.
;; ;;
;; Copyright (c) 2020 UXBOX Labs SL ;; Copyright (c) UXBOX Labs SL
(ns app.main.repo (ns app.main.repo
(:require (:require