Search UI XSS #11848

419066074 · 2024-06-27T10:46:30Z

思源笔记存在xss漏洞

Is there an existing issue for this?

I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

I've ruled out the possibility that the extension is causing the problem.

Describe the problem

漏洞触发点位于软件的全局搜索功能，输入payload：<iframe src="" onload=alert()></iframe>，可以触发xss

可以利用file协议读取本地文件，payload：<iframe src="file:/etc/passwd"></iframe>，

Expected result

不对搜索内容进行解析。
使用安全的模板引擎
配置内容安全策略（CSP）头，限制可以加载的资源类型和来源。

Screenshot or screen recording presentation

No response

Version environment

- Version: 3.0.17
- Operating System: arm macos sonoma 14.5
- Browser (if used):

Log file

ver [3.0.17]
- arch [arm64]
- os [darwin]
- pid [85941]
- runtime mode [prod]
- working directory [/Applications/SiYuan.app/Contents/Resources]
- read only [false]
- container [std]
- database [ver=20220501]
- workspace directory [/Users/test/Documents/siyuan/zhishiku/siyuan]
  I 2024/06/27 18:19:33 conf.go:124: loaded conf [/Users/test/Documents/siyuan/zhishiku/siyuan/conf/conf.json]
  I 2024/06/27 18:19:33 conf.go:435: OpenAI API enabled
  userAgent=SiYuan/3.0.17 std/darwin
  baseURL=https://api.huiyan-ai.cn/v1
  timeout=30s
  proxy=
  model=gpt-4o
  maxTokens=0
  temperature=1.0
  maxContexts=7
  I 2024/06/27 18:19:33 conf.go:490: user has disabled [Google Analytics]
  I 2024/06/27 18:19:33 runtime.go:123: use network proxy [system]
  I 2024/06/27 18:19:33 serve.go:116: kernel [pid=85941] http server [127.0.0.1:56413] is booting
  I 2024/06/27 18:19:33 blocktree.go:513: read block tree [6.5 MB] to [/Users/test/Documents/siyuan/zhishiku/siyuan/temp/blocktree], elapsed [0.21s]
  I 2024/06/27 18:19:33 conf.go:850: database size [142.33 MB], tree/block count [667/24206]
  I 2024/06/27 18:19:33 working.go:192: kernel booted
  I 2024/06/27 18:19:33 box.go:77: auto stat [trees=667, blocks=24206, dataSize=283.4 MB, assetsSize=249.03 MB]
  I 2024/06/27 18:19:33 disk.go:33: disk usage [total=994.67 GB, used=709.96 GB, free=284.72 GB]
  I 2024/06/27 18:19:34 serve.go:129: reverse proxy server [127.0.0.1:6806] is booting
  I 2024/06/27 18:19:41 pandoc.go:132: built-in pandoc [ver=3.1.1, bin=/Users/test/Documents/siyuan/zhishiku/siyuan/temp/pandoc/bin/pandoc]
  I 2024/06/27 18:19:41 conf.go:1095: pandoc initialized, set pandoc bin to [/Users/test/Documents/siyuan/zhishiku/siyuan/temp/pandoc/bin/pandoc]

More information

No response

The text was updated successfully, but these errors were encountered:

zxhd863943427 · 2024-06-27T11:56:30Z

思源把一切用户的输入视为可信源，不会进行过滤操作，这个大概不会被视为xss漏洞。

lxzmads · 2024-06-27T15:05:13Z

这可不仅仅是个XSS，结合nodeIntegration: true选项的开启，下面的payload在mac上可以触发命令执行

<img src=# onerror="require('child_process').execSync('open /System/Applications/Calculator.app')">

不过好在好像没找到远程触发的方式，只能自己玩玩。

88250 assigned Vanessa219 Jun 29, 2024

88250 added the Bug label Jun 29, 2024

88250 added this to the 3.1.0 milestone Jun 29, 2024

88250 changed the title ~~思源笔记存在xss漏洞~~ Search UI XSS Jun 29, 2024

Vanessa219 added a commit that referenced this issue Jun 29, 2024

🎨 fix #11848

104b306

Vanessa219 closed this as completed Jun 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Search UI XSS #11848

Search UI XSS #11848

419066074 commented Jun 27, 2024 •

edited by 88250

Loading

zxhd863943427 commented Jun 27, 2024

lxzmads commented Jun 27, 2024

Search UI XSS #11848

Search UI XSS #11848

Comments

419066074 commented Jun 27, 2024 • edited by 88250 Loading

Is there an existing issue for this?

Can the issue be reproduced with the default theme (daylight/midnight)?

Could the issue be due to extensions?

Describe the problem

Expected result

Screenshot or screen recording presentation

Version environment

Log file

More information

zxhd863943427 commented Jun 27, 2024

lxzmads commented Jun 27, 2024

419066074 commented Jun 27, 2024 •

edited by 88250

Loading