AppFlowy icon indicating copy to clipboard operation
AppFlowy copied to clipboard

Published 20 hours ago verified publisher icon AppFlowy-IO

[Bug][Security] Markdown does not have any URI scheme restrictions

Open stypr opened this issue 1 year ago • 0 comments

Bug Description

There doesn't seem to be a URI scheme validation when the URL is already set on the link. This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory. As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page.

It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution.

How to Reproduce

Opening cmd.exe

  1. Create a new document with the following text
[Click Me](file:///C:\Windows\System32\calc.exe)

  1. Convert it to the link -- You can remove ) and readd ) to make it to a link

  2. Click on a link, Open link

  3. Confirm that cmd is opened

image

Other possible deeplinks

[deeplink1](appflowy-flutter://#access_token=1234&refresh_token=1234)
[deeplink2](AppFlowy://12341234)
[deeplink3](calculator://1)

Expected Behavior

URL needs to be validated and needs to print Incorrect Link.

Operating System

Windows 11 x86_64

AppFlowy Version(s)

0.5.4

Screenshots

No response

Additional Context

No response

stypr avatar Apr 23 '24 17:04 stypr