[security] XSS can lead to RCE via shell.openExternal

[luigigubello]

What happened?

Logseq Desktop app 0.7.9 (5e2487c6d84840780fb83ae518d34cac885d7026) is vulnerable to cross-site scripting (arbitrary Javascript injection), which could lead to remote code execution via shell.openExternal.

It is possible to inject arbitrary JS code in Logseq pages, you can write the following payloads in a new page to reproduce the bugs:

• [:iframe {:src "javascript:confirm(1);"}]
• <details open ontoggle=confirm(1);></details>

It's unclear to me if this is a feature or a bug [1], because there are some attempts to block JS injections (like remove-javascript-links-in-href [2]), but this Javascript injection can be abused on the Electron app by launching custom applications, which can lead to arbitrary code execution (e.g. running commands via vulnerable custom protocols or smb:// [3] - [4]). In the code, we can see there is no allowlist for openExternal, so every custom protocols can be used in Logseq (in WIndows 11, you should be able to launch MS Calculator just using the code [:iframe {:src "ms-calculator://"}]).

In addition, XSS can potentially abused to exfiltrate local data.

Reproduce the Bug

1. Create a new page
2. Paste this code: [:iframe {:src "javascript:confirm(1);"}]

Expected Behavior

Allowlist - or other filters - on openExternal to prevent code injection and maybe some Javascript filters or mitigation (e.g. CSP), but this depends on the features Logseq wants to offer.

Desktop Platform Information

Logseq Desktop app 0.7.9

[cnrpman]

Iframe is dangerous. We should have warning UI on the vulnerability at-least.

[luigigubello]

We should have warning UI on the vulnerability at-least.

This bug or behavior can be critical if someone is using Logseq in a collaborative way, by synchronizing or importing others' notes.

[sethyuan]

I think the problem here is not about iframe, but un-filtered input of hiccup and/or HTML.