You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Can the issue be reproduced with the default theme (daylight/midnight)?
I was able to reproduce the issue with the default theme
Could the issue be due to extensions?
I've ruled out the possibility that the extension is causing the problem.
Describe the problem
Summary
Due to outdated mermaid 10.8.0 is used to render block diagrams, a XSS in block diagram is able to trigger, chained with insecure configuration of windows electron app, attacker is able to execute code in victims local system.
Details
Siyuan is using mermaid 10.8.0 to render mermaid diagram. However, the test html in mermaid repo showed that the edge label names of new block diagram is not sanitized and could lead to XSS. The name of node is not fully sanitized which leads to injection of XSS payload.
Besides, the electron app sets nodeIntegration to true which is harmful, according to this attack, a XSS can be escalated to execute command on victims' local system.
PoC
Download latest Siyuan-3.0.17 windows electron app from official site, and install the application:
Create new document, and type /Mermaid command to insert mermaid diagram using following payload:
The text was updated successfully, but these errors were encountered:
sunriseXu
changed the title
XSS in Siyuan Electron App when rendering mermaid block diagram Causing RCEPlease enter the title of the bug report
XSS in Siyuan Electron App when rendering mermaid block diagram Causing RCE
Jun 5, 2024
sunriseXu
changed the title
XSS in Siyuan Electron App when rendering mermaid block diagram Causing RCE
XSS in Siyuan Electron App when rendering mermaid block diagram Leading to RCE
Jun 5, 2024
Is there an existing issue for this?
Can the issue be reproduced with the default theme (daylight/midnight)?
Could the issue be due to extensions?
Describe the problem
Summary
Due to outdated mermaid 10.8.0 is used to render block diagrams, a XSS in block diagram is able to trigger, chained with insecure configuration of windows electron app, attacker is able to execute code in victims local system.
Details
Siyuan is using mermaid 10.8.0 to render mermaid diagram. However, the test html in mermaid repo showed that the edge label names of new block diagram is not sanitized and could lead to XSS. The name of node is not fully sanitized which leads to injection of XSS payload.
Besides, the electron app sets
nodeIntegration
totrue
which is harmful, according to this attack, a XSS can be escalated to execute command on victims' local system.PoC
Download latest Siyuan-3.0.17 windows electron app from official site, and install the application:
Create new document, and type
/Mermaid
command to insert mermaid diagram using following payload:Impact
Client side code execution.
Reference
https://github.com/mermaid-js/mermaid/blob/d6ccd93cf207a30bbd45edf39fd29afdbb87b05e/cypress/platform/xss25.html#L98
Occurence
siyuan/app/electron/main.js
Line 305 in cfec6bc
siyuan/app/changelogs/v3.0.0/v3.0.0.md
Line 30 in cfec6bc
Fix
nodeIntegration
option in electron.Expected result
The mermaid block diagram is fully sanitized.
Screenshot or screen recording presentation
This is video PoC:
siyuan-xss-rce.mp4
Version environment
Log file
Nothing Special
I 2024/06/04 17:53:48 working.go:146:
___ ___ ___ ___
/ /\ ___ ___ //\ / /\ //
/ /:/_ / /\ //| \ :\ / /::\ \ :
/ /:/ /\ / /:/ | |:| \ :\ / /:/:\ \ :
/ /:/ /::\ //::\ | |:| ___ \ :\ / /:/
/::\ __:/:/ \ :/\ //::::\ \ :\ / /:/ \ :/:// \ :~//:/ /:/:\ _/:_ ||:| //\ __:\ //:/ /:/:\ /_/::::::::
\ :/:/
~/\ ::/ /:/ _::/
~:\ \ :\ /:/ \ ::/ \ :\ ~~~_/ /:/ //:/ \ :\ \ :/:/ \ :\ \ :
//:/ _/ _/ \ ::/ \ :\ \ :
_/ _/ _/ _/
I 2024/06/04 17:53:48 runtime.go:74: kernel is booting:
* ver [3.0.17]
* arch [amd64]
* os [Microsoft Windows 11 Home China]
* pid [318424]
* runtime mode [prod]
* working directory [C:\Users\11593\AppData\Local\Programs\SiYuan\resources]
* read only [false]
* container [std]
* database [ver=20220501]
* workspace directory [C:\Users\11593\SiYuan]
I 2024/06/04 17:53:48 conf.go:142: initialized the specified language [zh_CN]
I 2024/06/04 17:53:48 runtime.go:123: use network proxy [system]
I 2024/06/04 17:53:48 serve.go:116: kernel [pid=318424] http server [127.0.0.1:58785] is booting
I 2024/06/04 17:53:48 database.go:91: the database structure is changed, rebuilding database...
I 2024/06/04 17:53:48 database.go:111: reinitialized database [C:\Users\11593\SiYuan\temp\siyuan.db]
I 2024/06/04 17:53:48 conf.go:850: database size [4.1 kB], tree/block count [0/0]
I 2024/06/04 17:53:48 working.go:192: kernel booted
I 2024/06/04 17:53:49 box.go:77: auto stat [trees=0, blocks=0, dataSize=36.87 kB, assetsSize=0 B]
I 2024/06/04 17:53:49 disk.go:33: disk usage [total=1.01 TB, used=723.93 GB, free=279.57 GB]
I 2024/06/04 17:53:49 serve.go:129: reverse proxy server [127.0.0.1:6806] is booting
I 2024/06/04 17:53:51 index.go:220: rebuilt database for notebook [20210808180117-czj9bvb] in [0.02s], tree [count=69, size=1.4 MB]
I 2024/06/04 17:53:51 index.go:290: resolved refs [36] in [33ms]
I 2024/06/04 17:53:51 pandoc.go:155: initialized built-in pandoc [ver=3.1.1, bin=C:\Users\11593\SiYuan\temp\pandoc\bin\pandoc.exe]
I 2024/06/04 17:53:51 conf.go:1095: pandoc initialized, set pandoc bin to [C:\Users\11593\SiYuan\temp\pandoc\bin\pandoc.exe]
W 2024/06/04 17:53:57 blocktree.go:576: save block tree [size=742.02 kB] to [C:\Users\11593\SiYuan\temp\blocktree], elapsed [3.69s]
I 2024/06/04 17:54:09 mount.go:65: created box [20240604175409-xfun6fi]
I 2024/06/04 17:54:10 index.go:220: rebuilt database for notebook [20240604175409-xfun6fi] in [0.02s], tree [count=0, size=0 B]
I 2024/06/04 17:54:10 index.go:290: resolved refs [36] in [25ms]
I 2024/06/04 19:40:38 conf.go:587: exiting kernel [force=false, setCurrentWorkspace=true, execInstallPkg=0]
I 2024/06/04 19:40:42 conf.go:1085: closed user guide box [20210808180117-czj9bvb]
I 2024/06/04 19:40:42 database.go:1281: closed database
W 2024/06/04 19:40:45 blocktree.go:576: save block tree [size=862 B] to [C:\Users\11593\SiYuan\temp\blocktree], elapsed [3.80s]
I 2024/06/04 19:40:45 conf.go:1014: cleared workspace temp
I 2024/06/04 19:40:46 sync.go:727: sync websocket closed
I 2024/06/04 19:40:46 conf.go:587: exiting kernel [force=false, setCurrentWorkspace=true, execInstallPkg=0]
I 2024/06/04 19:40:46 database.go:1281: closed database
I 2024/06/04 19:40:46 conf.go:1014: cleared workspace temp
E 2024/06/04 19:40:46 working.go:489: remove workspace lock failed: remove C:\Users\11593\SiYuan.lock: The system cannot find the file specified.
More information
XSS payload:
xss-rce.md
The text was updated successfully, but these errors were encountered: