Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Denial of Service in actionPandoc. #1846

Closed
y0d3n opened this issue Jan 3, 2024 · 2 comments · Fixed by #1847
Closed

Denial of Service in actionPandoc. #1846

y0d3n opened this issue Jan 3, 2024 · 2 comments · Fixed by #1847
Milestone
2.5.2

Comments

@y0d3n
Copy link

y0d3n commented Jan 3, 2024

Summary

It takes advantage of the fact that the property of req.query.xxx can be overridden.
(Implicit in outputFormats[exportType], toString is performed on variables such as exportType.)

lib/note/noteActions.js#L136 is inside the async function and outside try/catch, so an error here will stop the entire application.

codimd/lib/note/noteActions.js

Lines 135 to 136 in cc78023

const { exportType } = req.query
const contentType = outputFormats[exportType]

Step to reproduce

  1. Create a Note and get the ID from the URL
    Here it is http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw
  2. access http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw/pandoc?exportType[toString]=test
    Please replace ID accordingly

TypeError: Cannot convert object to primitive value
at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36)
at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7)
2024-01-03T15:32:10.225Z error: An uncaught exception has occured.
2024-01-03T15:32:10.225Z error: Cannot convert object to primitive value
TypeError: Cannot convert object to primitive value
at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36)
at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7) {
level: 'error',
timestamp: '2024-01-03T15:32:10.225Z',
[Symbol(level)]: 'error',
[Symbol(message)]: '2024-01-03T15:32:10.225Z error: \tCannot convert object to primitive value'
}
2024-01-03T15:32:10.226Z error: Process will exit now.

Suggested fix

Include the problematic part in the try/catch for proper error handling.
@Yukaii Yukaii added this to the Next milestone Jan 4, 2024
Yukaii added a commit that referenced this issue Jan 4, 2024
@Yukaii
fix: only allow string type exportType paramter
3c07b4a 
fixes #1846
@Yukaii Yukaii linked a pull request Jan 4, 2024 that will close this issue
Address pandoc related issues #1847
Merged
Yukaii added a commit that referenced this issue Jan 4, 2024
@Yukaii
fix: only allow string type exportType paramter
cd52cb7 
fixes #1846

Signed-off-by: Yukai Huang <[email protected]>
@y0d3n
Copy link
Author

y0d3n commented Jan 4, 2024
edited
Loading

Good correction.
Can I request CVE number for this vulnerability?

@a60814billy
Copy link
Member

Hi @y0d3n,
Sure thing!

@Yukaii Yukaii modified the milestones: Next, 2.5.2 Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.5.2
Development

Successfully merging a pull request may close this issue.

Address pandoc related issues hackmdio/codimd
3 participants
@a60814billy @Yukaii @y0d3n