fix(scanner): avoid SVG/XML false positives; add allowlist and .gitignore

Relax payload scanner for XML/SVG by passing content-type into checks Skip JS-style eval() detection when content-type is XML/SVG Pass request Content-Type through sniff_file_for_php_payload() and raw-body checks Add common XML/SVG content-types to allowlist.json Add repository .gitignore (ignore logs, quarantine/, state/, env, vendor, IDE files)
2026-02-07 15:11:15 +01:00
commit 037b176892
5 changed files with 1585 additions and 0 deletions
--- a/allowlist.json
+++ b/allowlist.json
@@ -0,0 +1,22 @@
+{
+  "uris": [
+    "/api/uploads/avatars",
+    "/api/v1/avatars",
+    "/user/avatar",
+    "/media/upload",
+    "/api/media",
+    "/api/uploads",
+    "/api/v1/uploads",
+    "/attachments/upload",
+    "/upload",
+    "#^/internal/webhook#",
+    "#/hooks/(github|gitlab|stripe|slack)#",
+    "/services/avatars",
+    "/api/profile/photo"
+  ],
+  "ctypes": [
+    "image/svg+xml",
+    "application/xml",
+    "text/xml"
+  ]
+}