upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-02-19 02:28:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
mattermost/server
History
Andre Vasconcelos 13a0d63b3c
MM-67372: Improve link preview metadata handling and filtering (#35178) 
* MM-67372: Filter SVG images from OpenGraph metadata to prevent DoS

This commit adds server-side filtering of SVG images from OpenGraph
metadata to mitigate a DoS vulnerability where malicious SVG images
in og:image tags can crash Chromium-based browsers and Safari.

Changes:
- Add IsSVGImageURL() helper function in model package to detect SVG URLs
- Filter SVG images in parseOpenGraphMetadata() for regular HTML pages
- Filter SVG images in parseOpenGraphFromOEmbed() for oEmbed responses
- Add defense-in-depth filtering in TruncateOpenGraph() and getImagesForPost()
- Add comprehensive tests for all SVG filtering functionality

SVG detection is based on:
- File extension (.svg, .svgz) - case-insensitive
- MIME type (image/svg+xml)

Reference: https://issues.chromium.org/issues/40057345

* MM-67372: Filter SVG images from cache/DB and direct SVG URLs

This commit addresses remaining attack vectors for the SVG DoS vulnerability:

1. Cache/DB filtering: Apply TruncateOpenGraph when returning OpenGraph
   from cache or database to filter stale data that was stored before
   the initial fix was deployed.

2. Direct SVG URLs: Filter PostImage entries with Format="svg" to prevent
   browser crashes when someone posts a direct link to an SVG file.

3. Embed creation: Skip creating image embeds for SVG images and create
   link embeds instead.

4. New SVG detection: Return nil instead of creating PostImage when
   fetching direct SVG URLs to prevent storing them in the database.

These changes ensure that even environments with pre-existing malicious
link metadata will be protected after a server restart.

* MM-67372: Fix test expectation for SVG image handling

* Removed duplicate logic in favor of already implemented FilterSVGImages in model

* Addressing PR comments

* Replacing exact match comparison with prefix check

* Added new test cases for unit tests
2026-02-09 16:26:14 +02:00
..
bin Mono repo -> Master (#22553) 2023-03-22 17:22:27 -04:00
build Allow building the server on FreeBSD (#25838) 2026-02-03 14:05:16 +00:00
channels MM-67372: Improve link preview metadata handling and filtering (#35178) 2026-02-09 16:26:14 +02:00
cmd [MM-66836] Integrate PropertyAccessService into API and app layers (#34818) 2026-02-06 18:06:51 -05:00
config Add the ability to patch channel autotranslations (#35078) 2026-02-06 18:19:06 +01:00
einterfaces Add the ability to patch channel autotranslations (#35078) 2026-02-06 18:19:06 +01:00
enterprise Metrics for Autotranslations (#34900) 2026-01-29 05:46:45 -05:00
fips MM-65959: Add FIPS indicator to about dialog (#34463) 2025-12-11 18:37:29 -04:00
fonts Mono repo -> Master (#22553) 2023-03-22 17:22:27 -04:00
i18n Add the ability to patch channel autotranslations (#35078) 2026-02-06 18:19:06 +01:00
platform Add fileSize limit to extractors (#35200) 2026-02-09 15:22:30 +01:00
public MM-67372: Improve link preview metadata handling and filtering (#35178) 2026-02-09 16:26:14 +02:00
scripts [MM-67030] Remove newsletter signup and replace with terms/privacy agreement (#34801) 2026-01-23 18:24:27 +00:00
templates MM-59966 - Compliance Export overhaul - feature branch (#29789) 2025-01-10 16:56:02 -05:00
tests Remove vestigial MySQL support (#34865) 2026-01-20 21:01:59 +00:00
.gitignore Update .server/gitignore to ignore all JSON files under the directory (#27593) 2024-07-11 09:12:57 +02:00
.go-version bumps go version to 1.24.11 (#34876) 2026-01-09 17:22:23 +01:00
.golangci.yml MM-62151 avoid select * for post store (#34709) 2026-01-09 18:23:16 +00:00
.sass-lint.yml Mono repo -> Master (#22553) 2023-03-22 17:22:27 -04:00
config.mk Enabling Prometheus, Grafana, Loki and Promtail running as containers by default in local dev environments (#34263) 2025-10-23 14:08:53 +02:00
copyright.txt Mono repo -> Master (#22553) 2023-03-22 17:22:27 -04:00
docker-compose.makefile.m1.yml Remove obsolete docker version (#30040) 2025-01-30 12:53:25 -07:00
docker-compose.makefile.yml Explicitly name Postgres container volume (#33954) 2025-10-02 09:29:00 -04:00
docker-compose.pgvector.yml Add support for pgvector in local dev (#33900) 2025-09-15 18:58:43 +00:00
docker-compose.yaml selinux security context fixes in docker compose (#34394) 2025-11-14 17:32:56 +01:00
go.mod updates opensearch library dependency and adds tests for caused_by error reason returned (#34826) 2026-01-27 16:01:22 +01:00
go.sum updates opensearch library dependency and adds tests for caused_by error reason returned (#34826) 2026-01-27 16:01:22 +01:00
Makefile chore: Update zoom version to 1.12.0 (#35167) 2026-02-04 18:03:04 +07:00
path.go Centralize the GetPackagePath (#27004) 2024-05-15 12:05:13 -03:00