Display SVG files as images instead of text

[jtran]

This is an attempt to close #1095. It makes the following changes:

• Detects SVG image files and serves them with Content-Type: image/svg+xml instead of text/plain, text/html, or text/xml. This allows users to view an SVG as an image when browsing a repo's tree and when it's embedded in a markdown file.
• Serves extra security headers for SVG files in raw and media routes: Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox and X-Content-Type-Options: nosniff. This prevents the execution of scripts in untrusted SVG files.
• Adds regression tests for the above
• UI toggle on the view file page to switch between the text source and the rendered image for SVG files
• Adds a config setting to disable the feature
• Hides the "raw" button when viewing SVG files since unsafe styles aren't displayed, and viewing the image without styles may be confusing. Users can always right-click on the image to view or save it.

I tested this with https://github.com/edgar-bonet/test-svg-mime in Firefox and Chrome.

[techknowlogick]

Thank you for this PR, and especially thank you for including tests & documentation :)

This is not an exhaustive review, just a few preliminary comments.

[silverwind]

Hides the "raw" button when viewing SVG files since unsafe styles aren't displayed, and viewing the image without styles may be confusing. Users can always right-click on the image to view or save it.

I have to say I like the "Raw" button on GitHub for SVG. It just opens the SVG with the mime type image/svg+xml in a new tab. Which styles are you refering to? SVGs are self-contained.

[jtran]

@silverwind,

Without adding style-src 'unsafe-inline'; to the content-security-policy, I haven't been able to view styles that are contained within SVG images. When you view an image directly by navigating to the raw URL in your browser, <img> tag security measures do not apply. So in this case, the content-security-policy is the only thing preventing malicious scripts inside SVGs from executing. Apparently there are also potentially harmful styles too? But I'm not an expert on this.

If someone understands this issue better and can explain why adding style-src 'unsafe-inline'; would be safe without additional security measures (like a separate domain), I would happily add that. But I'm not sure about the implications.

[silverwind]

Good read on SVG security: https://www.w3.org/wiki/SVG_Security

You're right, <img> seems to be safe to use while serving raw with image/svg+xml will execute scripts, so I guess we'd need to sanitize the SVG first for this case (stripping script tags and url references using bluemonday as mentioned in #1095, if it can do that).

[jtran]

serving raw with image/svg+xml will execute scripts, so I guess we'd need to sanitize the SVG first for this case

That's why we use Content-Security-Policy: default-src 'none'; sandbox, which disables scripts. Sanitizing isn't needed to disable scripts. Please read up on #1095. Although they aren't mutually exclusive, my understanding from that issue is that people favor sandboxing over filtering/sanitizing. A sanitizing pull request #8024 was abandoned.

[silverwind]

Few minor UI things:

1. Display lines of code for SVG, e.g. like GitHub:

2. Editing should be allowed but UI currently shows "Cannot edit binary files"
3. Also use the rendered view in diffs, currently it's showing source. might actually be undesirable for review, need both views.

I think ultimately we'll need a switchable view with source and rendered but I guess rendered only will work as a start.

CI failure seems unrelated, maybe you can rebase/push once more to get it restarted.

[silverwind]

Regarding raw: How about just showing the source in text/plain? I think it makes more sense, I'm usually after the source and currently there's no direct way to show it.

I also noticed SMIL animations (example) do not play in Firefox (they do in Chrome) when right clicking and view image. Is that caused by the sandboxing?

[kdumontnu]

Regarding raw: How about just showing the source in text/plain? I think it makes more sense, I'm usually after the source and currently there's no direct way to show it.

Agree with text/plain view for raw. I've started work on a toggle button for regular file view. I'll continue that once this is merged

[jtran]

Regarding raw: How about just showing the source in text/plain? I think it makes more sense, I'm usually after the source and currently there's no direct way to show it.

If we did that, then embedding SVG images in markdown wouldn't work. Assuming the embedding uses the same raw URL, the server cannot distinguish between the two cases.

I also noticed SMIL animations (example) do not play in Firefox (they do in Chrome) when right clicking and view image. Is that caused by the sandboxing?

The animation plays for me in Firefox v84.0.1 when I follow that link. Maybe I misunderstood and you meant using this branch.

[silverwind]

The animation plays for me in Firefox v84.0.1 when I follow that link.

Yes they play in GitHub but not in Gitea because of the missing style-src 'unsafe-inline' directive that GitHub serves, see suggestion above.

If we did that, then embedding SVG images in markdown wouldn't work. Assuming the embedding uses the same raw URL, the server cannot distinguish between the two cases.

I think it's unavoidable we add a JS-switchable view for rendered/source mode. Do you think you can implement something like that here?

[jtran]

Yes, I can add a way in the UI to toggle between text source and image.

Should I add style-src 'unsafe-inline' also? I just didn't want to add it if there was a security risk.

[jtran]

To clarify, it's not clear to me that we can just do what GitHub does in terms of the CSP because GitHub has additional security measures like serving content from a different domain. Presumably, serving from another domain is a much larger change that is out of scope for this pull request. But I could be wrong.

[silverwind]

Should I add style-src 'unsafe-inline' also? I just didn't want to add it if there was a security risk.

It's the only way to get SMIL to work in Firefox and I think it's an essential part of SVG. I don't see anything wrong allowing inline styles. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1683972 because I believe classifying SMIL as inline style is wrong in Firefox.

[silverwind]

I agree, JS toggle can come later.

[kdumontnu]

@silverwind @techknowlogick @zeripath If you have a chance can you take a look through this PR? Should be all set & a big improvement to how gitea handles svgs. Most of the files in the diff are for integration test.

[lunny]

Is unsafe-inline necessary here? ref. https://content-security-policy.com/unsafe-inline/

[jtran]

Without it, many SVG images look nothing like they're intended to look. Many SVG attributes have a style alternative.

That said, I originally omitted it, but I was asked to add it in another comment in this PR. As long as it's safe, I think that including it is a good thing.

[lunny]

Please see my ref article, It said

When you want to allow inline scripts or styles on a page that uses CSP, there two much better options: nonce or hash.

[jtran]

I read the article. I'm having trouble understanding how nonce or hash is actually better. If I understand it correctly, a hash prevents modification between the server and client, which is not more than what HTTPS would do. So this is to make the HTTP case safer.

If you think that's what we should do, it's not clear to me how to actually implement it. It seems like we would need to parse the SVG file enough to either insert nonces at the appropriate places in the SVG or read all the inline styles so that we can compute their hashes. Is this what you're saying? I'm guessing this must include all the style="..." attributes. There could potentially be many of them. I'll think about it some more.

[CirnoT]

@lunny The suggestion from the ref article is not applicable in this case, as the CSP is applied when rendering user-generated content (the SVG file). The general purpose of using nonce is so that website can include inline script in non-user controlled HTML content while at the same time benefiting from CSP blocking possible XSS attacks.

[lunny]

nonce of CSP requires a change to the svg content dynamiclly which will make the thing complicated.

[kdumontnu]

@lunny Is the "View Raw" case really commonly used? In my opinion we should take the most conservative/secure option for view raw or disable it for SVG and keep the size of this PR reasonable.
This PR already fixes embedding svgs in markdown, renders in view-file, and toggles between render/code, which is a huge improvement. If the view raw case isn't perfect, it can be discussed and improved in a subsequent PR.
My preferences for now:

1. Add secure CSP headers and disable view raw button for svgs
   OR
2. Render svg as code in view raw case

[vmario89]

hi. saw that this was merged but it was not yet released right? Tried to configure Gitea ui.svg ENABLE_RENDER = true in app.ini but i guess thats another setting, not related to this? Looking forward to directly display SVG files in preview instead of plaintext.

https://github.com/go-gitea/gitea/issues/1095
https://github.com/go-gitea/gitea/pull/14101
https://docs.gitea.io/en-us/config-cheat-sheet/#ui---svg-images-uisvg

[kdumontnu]

hi. saw that this was merged but it was not yet released right? Tried to configure Gitea ui.svg ENABLE_RENDER = true in app.ini but i guess thats another setting, not related to this? Looking forward to directly display SVG files in preview instead of plaintext.

I believe it is queued for release in version 1.14. You can test it in the current master branch.
The setting is enabled by default, so no need to change app.ini