Class: SvgSentinel::Policy

Inherits:
Object
  • Object
show all
Defined in:
lib/svg_sentinel/policy.rb

Overview

Re-rates raw findings for the situation they will be used in. Two layers, applied in order:

  1. Rendering context. The same SVG is dangerous differently depending on how a browser will run it. Inline in the DOM has full script and network power; an SVG loaded through or CSS background runs in the browser's "secure static" mode - no scripting, no external subresources - so those findings, while still worth noting, are not on their own a reason to reject. Parser-level and denial-of-service findings (XXE, use bombs, oversize, malformed) are context-independent and never downgraded.

  2. Explicit overrides. A team can force a code to a severity or drop it entirely from config; this wins over the context rating.

Constant Summary collapse

CONTEXTS =
%i[inline standalone img css_background].freeze
CONTEXT_SENSITIVE_CODES =

Codes whose danger depends on the SVG actually scripting or fetching. Neutralised in a secure-static context (img / css_background).

%i[
  script_element event_handler script_uri css_script foreign_element
  data_uri external_ref animation animated_attribute
].freeze
SECURE_STATIC_CONTEXTS =
%i[img css_background].freeze

Instance Method Summary collapse

Constructor Details

#initialize(context: :inline, overrides: {}, disabled: []) ⇒ Policy

Returns a new instance of Policy.



33
34
35
36
37
# File 'lib/svg_sentinel/policy.rb', line 33

def initialize(context: :inline, overrides: {}, disabled: [])
  @context = context
  @overrides = normalize_overrides(overrides)
  @disabled = Array(disabled).map(&:to_sym)
end

Instance Method Details

#apply(findings) ⇒ Object



39
40
41
# File 'lib/svg_sentinel/policy.rb', line 39

def apply(findings)
  findings.filter_map { |finding| rerate(finding) }
end