PDF preview with XSS causing command execution

[guchangan1]

Is there an existing issue for this?

• I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

• I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

• I've ruled out the possibility that the extension is causing the problem.

Describe the problem

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context.
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

PoC

1. Download latest Siyuan-3.1.0 app
2. Create new document, and directly insert a malicious PDF document that has been created。
   poc-rce.pdf
3. Open Later，The calculator poped up.
   

Occurence

app/stage/protyle/js/pdf/pdf.js

Impact

Client side code execution.

Expected result

Upgrade pdf.js

Screenshot or screen recording presentation

SIYUAN-pdf-xss.mp4

Version environment

- Version: 3.1.0(latest)
- Operating System: arm macos sonoma 14.5
- Browser (if used):

Log file

2024/07/11 10:24:23 runtime.go:74: kernel is booting:
* ver [3.1.0]
* arch [arm64]
* os [darwin]
* pid [21316]
* runtime mode [prod]
* working directory [/Applications/SiYuan.app/Contents/Resources]
* read only [false]
* container [std]
* database [ver=20220501]

More information

No response

[88250]

Duplicate of #11650