Summary
An XSS/RCE vulnerability allows an untrusted note opened in safe mode to execute arbitrary code.
Details
Currently, packages/renderer/MarkupToHtml.ts renders note content in safe mode by surrounding it with <pre> and </pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening <pre> tag, then includes HTML that runs JavaScript.
Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS require function.
require can then be used to import modules like fs or child_process and run arbitrary commands.
PoC
- Create a note with the following markdown
</pre>
<style onload="document.body.innerHTML = top.require('child_process').exec('ls -la', (err, stdout) => {document.body.innerText += stdout});"></style>
<pre>
- Enable safe mode and restart
- Render the note created in step 1.
Impact
This is an XSS vulnerability that impacts anyone who launches Joplin in safe mode and opens an untrusted note.
Summary
An XSS/RCE vulnerability allows an untrusted note opened in safe mode to execute arbitrary code.
Details
Currently,
packages/renderer/MarkupToHtml.tsrenders note content in safe mode by surrounding it with<pre>and</pre>, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening<pre>tag, then includes HTML that runs JavaScript.Because the rendered markdown
iframehas the same origin as the toplevel document and is not sandboxed, any scripts running in the previewiframecan access thetopvariable and, thus, access the toplevel NodeJSrequirefunction.requirecan then be used to import modules likefsorchild_processand run arbitrary commands.PoC
Impact
This is an XSS vulnerability that impacts anyone who launches Joplin in safe mode and opens an untrusted note.