Merge commit from fork

Co-authored-by: Mateusz Dębiński <mateusz.debinski@ibexa.co>

Author: mateuszdebinski

src/lib/RichText/XMLSanitizer.php

@@ -0,0 +1,200 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\FieldTypeRichText\RichText;
+
+use DOMDocument;
+use DOMText;
+use DOMXPath;
+use RuntimeException;
+
+/**
+ * @internal
+ */
+final class XMLSanitizer
+{
+    public function sanitizeXMLString(string $xmlString): string
+    {
+        $xmlString = $this->decodeHTMLEntities($xmlString);
+        $xmlString = $this->removeComments($xmlString);
+        $xmlString = $this->removeDangerousTags($xmlString);
+        $xmlString = $this->sanitizeDocType($xmlString);
+
+        return $this->removeEmptyDocType($xmlString);
+    }
+
+    public function convertCDATAToText(DOMDocument $document): DOMDocument
+    {
+        $xpath = new DOMXPath($document);
+        $cdataNodes = $xpath->query('//text()[ancestor-or-self::node()]');
+        if ($cdataNodes === false) {
+            return $document;
+        }
+
+        foreach ($cdataNodes as $cdataNode) {
+            if ($cdataNode->nodeType === XML_CDATA_SECTION_NODE && $cdataNode->parentNode !== null) {
+                $cdataNode->parentNode->replaceChild(new DOMText($cdataNode->textContent), $cdataNode);
+            }
+        }
+
+        return $document;
+    }
+
+    private function decodeHTMLEntities(string $xmlString): string
+    {
+        return html_entity_decode($xmlString, ENT_XML1, 'UTF-8');
+    }
+
+    private function removeComments(string $xmlString): string
+    {
+        $xmlString = preg_replace('/<!--\s?.*?\s?-->/s', '', $xmlString);
+
+        if ($xmlString === null) {
+            $this->throwRuntimeException(__METHOD__);
+        }
+
+        return $xmlString;
+    }
+
+    private function removeDangerousTags(string $xmlString): string
+    {
+        $xmlString = preg_replace('/<\s*(script|iframe|object|embed|style)[^>]*>.*?<\s*\/\s*\1\s*>/is', '', $xmlString);
+
+        if ($xmlString === null) {
+            $this->throwRuntimeException(__METHOD__);
+        }
+
+        return $xmlString;
+    }
+
+    private function sanitizeDocType(string $xmlString): string
+    {
+        $pattern = '/<\s*!DOCTYPE\s+(?<name>[^\s>]+)\s*(\[(?<entities>.*?)\]\s*)?>/is';
+
+        if (!preg_match($pattern, $xmlString, $matches)) {
+            return $xmlString;
+        }
+
+        $docTypeName = $matches['name'];
+        $entitiesBlock = $matches['entities'] ?? '';
+        [$safeEntities, $removedEntities] = $this->filterEntitiesFromDocType($entitiesBlock);
+
+        foreach ($removedEntities as $entity) {
+            $xmlString = preg_replace('/&' . preg_quote($entity, '/') . ';/i', '', $xmlString);
+
+            if ($xmlString === null) {
+                $this->throwRuntimeException(__METHOD__);
+            }
+        }
+
+        $safeDocType = sprintf('<!DOCTYPE %s [ %s ]>', $docTypeName, implode("\n", $safeEntities));
+        $xmlString = preg_replace($pattern, $safeDocType, $xmlString);
+
+        if ($xmlString === null) {
+            $this->throwRuntimeException(__METHOD__);
+        }
+
+        return $xmlString;
+    }
+
+    private function removeEmptyDocType(string $xmlString): string
+    {
+        $xmlString = preg_replace('/<\s*!DOCTYPE\s+[^\[\]>]*\[\s*\]>/is', '', $xmlString);
+
+        if ($xmlString === null) {
+            $this->throwRuntimeException(__METHOD__);
+        }
+
+        return $xmlString;
+    }
+
+    /**
+     * @return array<int, array<int, string>>
+     */
+    private function filterEntitiesFromDocType(string $entitiesBlock): array
+    {
+        $lines = explode("\n", $entitiesBlock);
+        $safeEntities = [];
+        $entitiesToRemove = [];
+        $entityDefinitions = [];
+
+        foreach ($lines as $line) {
+            $line = trim($line);
+
+            if (preg_match('/<!ENTITY\s+(\S+)\s+(SYSTEM|PUBLIC)\s+/i', $line, $matches)) {
+                $entitiesToRemove[] = $matches[1];
+                continue;
+            }
+
+            if (!preg_match('/<!ENTITY\s+(\S+)\s+"([^"]+)"/', $line, $matches)) {
+                continue;
+            }
+
+            $entityName = $matches[1];
+            $entityValue = $matches[2];
+            $entityDefinitions[$entityName] = $entityValue;
+
+            if (preg_match('/&\S+;/', $entityValue)) {
+                $entitiesToRemove[] = $entityName;
+                continue;
+            }
+
+            $safeEntities[] = $line;
+        }
+
+        $entitiesToRemove = $this->resolveRecursiveEntities($entityDefinitions, $entitiesToRemove);
+        $safeEntities = array_filter($safeEntities, function ($line) use ($entitiesToRemove) {
+            return !$this->containsUnsafeEntity($line, $entitiesToRemove);
+        });
+
+        return [$safeEntities, $entitiesToRemove];
+    }
+
+    /**
+     * @param array<int, string> $entitiesToRemove
+     * @param array<string, string> $entityDefinitions
+     *
+     * @return array<int, string>
+     */
+    private function resolveRecursiveEntities(array $entityDefinitions, array $entitiesToRemove): array
+    {
+        foreach ($entityDefinitions as $name => $value) {
+            foreach ($entitiesToRemove as $toRemove) {
+                if (strpos($value, "&$toRemove;") !== false && !in_array($name, $entitiesToRemove, true)) {
+                    $entitiesToRemove[] = $name;
+                }
+            }
+        }
+
+        return array_unique($entitiesToRemove);
+    }
+
+    /**
+     * @param array<int, string> $entitiesToRemove
+     */
+    private function containsUnsafeEntity(string $line, array $entitiesToRemove): bool
+    {
+        foreach ($entitiesToRemove as $toRemove) {
+            if (strpos($line, $toRemove) !== false) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @return never
+     */
+    private function throwRuntimeException(string $functionName): void
+    {
+        throw new RuntimeException(
+            sprintf('%s returned null for "$xmlString", error: %s', $functionName, preg_last_error_msg())
+        );
+    }
+}

src/lib/eZ/RichText/DOMDocumentFactory.php

@@ -10,9 +10,18 @@
 
 use DOMDocument;
 use EzSystems\EzPlatformRichText\eZ\RichText\Exception\InvalidXmlException;
+use Ibexa\FieldTypeRichText\RichText\XMLSanitizer;
 
 final class DOMDocumentFactory
 {
+    /** @var \Ibexa\FieldTypeRichText\RichText\XMLSanitizer */
+    private $xmlSanitizer;
+
+    public function __construct(XMLSanitizer $xmlSanitizer)
+    {
+        $this->xmlSanitizer = $xmlSanitizer;
+    }
+
     /**
      * Creates \DOMDocument from given $xmlString.
      *
@@ -33,11 +42,11 @@ public function loadXMLString(string $xmlString): DOMDocument
         // - substitute entities
         // - disable network access
         // - relax parser limits for document size/complexity
-        $success = $document->loadXML($xmlString, LIBXML_NOENT | LIBXML_NONET | LIBXML_PARSEHUGE);
+        $success = $document->loadXML($this->xmlSanitizer->sanitizeXMLString($xmlString), LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NONET | LIBXML_PARSEHUGE);
         if (!$success) {
             throw new InvalidXmlException('$xmlString', libxml_get_errors());
         }
 
-        return $document;
+        return $this->xmlSanitizer->convertCDATAToText($document);
     }
 }

src/lib/eZ/settings/fieldtype_services.yaml

@@ -52,6 +52,9 @@ services:
 
     EzSystems\EzPlatformRichText\eZ\RichText\DOMDocumentFactory:
         public: false
+        
+    Ibexa\FieldTypeRichText\RichText\XMLSanitizer:
+        public: false
 
     EzSystems\EzPlatformRichText\eZ\RichText\InputHandler:
         arguments:

tests/integration/eZ/SPI/RichTextFieldTypeIntegrationTest.php

@@ -17,6 +17,7 @@
 use EzSystems\EzPlatformRichText\eZ\RichText;
 use EzSystems\EzPlatformRichText\eZ\FieldType\RichText\RichTextStorage\Gateway\DoctrineStorage;
 use EzSystems\EzPlatformRichText\eZ\Persistence\Legacy\RichTextFieldValueConverter;
+use Ibexa\FieldTypeRichText\RichText\XMLSanitizer;
 
 /**
  * Integration test for legacy storage field types.
@@ -58,7 +59,7 @@ public function getTypeName()
     public function getCustomHandler()
     {
         $inputHandler = new RichText\InputHandler(
-            new RichText\DOMDocumentFactory(),
+            new RichText\DOMDocumentFactory(new XMLSanitizer()),
             new RichText\ConverterDispatcher([]),
             new RichText\Normalizer\Aggregate(),
             new RichText\Validator\ValidatorDispatcher([

tests/lib/Form/DataTransformer/RichTextTransformerTest.php

@@ -15,6 +15,7 @@
 use EzSystems\EzPlatformRichText\eZ\RichText\Converter;
 use EzSystems\EzPlatformRichText\eZ\RichText\DOMDocumentFactory;
 use EzSystems\EzPlatformRichText\eZ\RichText\InputHandlerInterface;
+use Ibexa\FieldTypeRichText\RichText\XMLSanitizer;
 use EzSystems\EzPlatformRichText\Form\DataTransformer\RichTextTransformer;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Form\Exception\TransformationFailedException;
@@ -37,7 +38,7 @@ protected function setUp(): void
 
         $this->richTextTransformer = new RichTextTransformer(
             // DOMDocumentFactory is final
-            new DOMDocumentFactory(),
+            new DOMDocumentFactory(new XMLSanitizer()),
             $this->inputHandler,
             $this->docbook2xhtml5editConverter
         );

tests/lib/eZ/FieldType/RichTextTest.php

@@ -26,6 +26,7 @@
 use EzSystems\EzPlatformRichText\eZ\RichText\RelationProcessor;
 use EzSystems\EzPlatformRichText\eZ\RichText\Validator\Validator;
 use EzSystems\EzPlatformRichText\eZ\RichText\Validator\ValidatorDispatcher;
+use Ibexa\FieldTypeRichText\RichText\XMLSanitizer;
 use PHPUnit\Framework\TestCase;
 use RuntimeException;
 
@@ -41,7 +42,7 @@ class RichTextTest extends TestCase
     protected function getFieldType()
     {
         $inputHandler = new InputHandler(
-            new DOMDocumentFactory(),
+            new DOMDocumentFactory(new XMLSanitizer()),
             new ConverterDispatcher([
                 'http://docbook.org/ns/docbook' => null,
             ]),