Upgrade mermaid to v10.9.1

[sunriseXu]

Is there an existing issue for this?

• I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

• I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

• I've ruled out the possibility that the extension is causing the problem.

Describe the problem

Summary

Due to outdated mermaid 10.8.0 is used to render block diagrams, a XSS in block diagram is able to trigger, chained with insecure configuration of windows electron app, attacker is able to execute code in victims local system.

Details

Siyuan is using mermaid 10.8.0 to render mermaid diagram. However, the test html in mermaid repo showed that the edge label names of new block diagram is not sanitized and could lead to XSS. The name of node is not fully sanitized which leads to injection of XSS payload.

Besides, the electron app sets nodeIntegration to true which is harmful, according to this attack, a XSS can be escalated to execute command on victims' local system.

PoC

1. Download latest Siyuan-3.0.17 windows electron app from official site, and install the application:

2. Create new document, and type /Mermaid command to insert mermaid diagram using following payload:

block-beta
`A-- "X<img src=x onerror=require('child_process').exec('calc');>" -->B

2. The calculator poped up.

Impact

Client side code execution.

Reference

https://github.com/mermaid-js/mermaid/blob/d6ccd93cf207a30bbd45edf39fd29afdbb87b05e/cypress/platform/xss25.html#L98

Occurence

siyuan/app/electron/main.js

Line 305 in cfec6bc

nodeIntegration: true,

siyuan/app/changelogs/v3.0.0/v3.0.0.md

Line 30 in cfec6bc

* [Upgrade mermaid to 10.8.0](https://github.com/siyuan-note/siyuan/pull/10373)

Fix

1. Update to mermaid 10.9.1 will mitigate the XSS problem.
2. Disable nodeIntegration option in electron.

Expected result

The mermaid block diagram is fully sanitized.

Screenshot or screen recording presentation

This is video PoC:

siyuan-xss-rce.mp4

Version environment

- Version: 3.0.17
- Operating System: Windows 11
- Browser (if used): Chrome

Log file

Nothing Special

I 2024/06/04 17:53:48 working.go:146:
___ ___ ___ ___
/ /\ ___ ___ //\ / /\ //
/ /:/_ / /\ //| \ :\ / /::\ \ :
/ /:/ /\ / /:/ | |:| \ :\ / /:/:\ \ :
/ /:/ /::\ //::\ | |:| ___ \ :\ / /://::\ __:
//:/ /:/:\ _/:_ ||:| //\ __:\ //:/ /:/:\ /_/::::::::
\ :/://:/ \ :/\ //::::\ \ :\ / /:/ \ :/:// \ :~~/
\ ::/ /:/ _::/ ~:\ \ :\ /:/ \ ::/ \ :\ ~~~
_/ /:/ //:/ \ :\ \ :/:/ \ :\ \ :
//:/ _/ _/ \ ::/ \ :\ \ :
_/ _/ _/ _/
I 2024/06/04 17:53:48 runtime.go:74: kernel is booting:
* ver [3.0.17]
* arch [amd64]
* os [Microsoft Windows 11 Home China]
* pid [318424]
* runtime mode [prod]
* working directory [C:\Users\11593\AppData\Local\Programs\SiYuan\resources]
* read only [false]
* container [std]
* database [ver=20220501]
* workspace directory [C:\Users\11593\SiYuan]
I 2024/06/04 17:53:48 conf.go:142: initialized the specified language [zh_CN]
I 2024/06/04 17:53:48 runtime.go:123: use network proxy [system]
I 2024/06/04 17:53:48 serve.go:116: kernel [pid=318424] http server [127.0.0.1:58785] is booting
I 2024/06/04 17:53:48 database.go:91: the database structure is changed, rebuilding database...
I 2024/06/04 17:53:48 database.go:111: reinitialized database [C:\Users\11593\SiYuan\temp\siyuan.db]
I 2024/06/04 17:53:48 conf.go:850: database size [4.1 kB], tree/block count [0/0]
I 2024/06/04 17:53:48 working.go:192: kernel booted
I 2024/06/04 17:53:49 box.go:77: auto stat [trees=0, blocks=0, dataSize=36.87 kB, assetsSize=0 B]
I 2024/06/04 17:53:49 disk.go:33: disk usage [total=1.01 TB, used=723.93 GB, free=279.57 GB]
I 2024/06/04 17:53:49 serve.go:129: reverse proxy server [127.0.0.1:6806] is booting
I 2024/06/04 17:53:51 index.go:220: rebuilt database for notebook [20210808180117-czj9bvb] in [0.02s], tree [count=69, size=1.4 MB]
I 2024/06/04 17:53:51 index.go:290: resolved refs [36] in [33ms]
I 2024/06/04 17:53:51 pandoc.go:155: initialized built-in pandoc [ver=3.1.1, bin=C:\Users\11593\SiYuan\temp\pandoc\bin\pandoc.exe]
I 2024/06/04 17:53:51 conf.go:1095: pandoc initialized, set pandoc bin to [C:\Users\11593\SiYuan\temp\pandoc\bin\pandoc.exe]
W 2024/06/04 17:53:57 blocktree.go:576: save block tree [size=742.02 kB] to [C:\Users\11593\SiYuan\temp\blocktree], elapsed [3.69s]
I 2024/06/04 17:54:09 mount.go:65: created box [20240604175409-xfun6fi]
I 2024/06/04 17:54:10 index.go:220: rebuilt database for notebook [20240604175409-xfun6fi] in [0.02s], tree [count=0, size=0 B]
I 2024/06/04 17:54:10 index.go:290: resolved refs [36] in [25ms]
I 2024/06/04 19:40:38 conf.go:587: exiting kernel [force=false, setCurrentWorkspace=true, execInstallPkg=0]
I 2024/06/04 19:40:42 conf.go:1085: closed user guide box [20210808180117-czj9bvb]
I 2024/06/04 19:40:42 database.go:1281: closed database
W 2024/06/04 19:40:45 blocktree.go:576: save block tree [size=862 B] to [C:\Users\11593\SiYuan\temp\blocktree], elapsed [3.80s]
I 2024/06/04 19:40:45 conf.go:1014: cleared workspace temp
I 2024/06/04 19:40:46 sync.go:727: sync websocket closed
I 2024/06/04 19:40:46 conf.go:587: exiting kernel [force=false, setCurrentWorkspace=true, execInstallPkg=0]
I 2024/06/04 19:40:46 database.go:1281: closed database
I 2024/06/04 19:40:46 conf.go:1014: cleared workspace temp
E 2024/06/04 19:40:46 working.go:489: remove workspace lock failed: remove C:\Users\11593\SiYuan.lock: The system cannot find the file specified.

More information

XSS payload:

xss-rce.md

[88250]

@Vanessa219 Upgrade to mermaid to v10.9.1+ mermaid-js/mermaid@c7fe9a6

[sunriseXu]

@88250 你好，请问该bug可以帮我申请CVE吗

[88250]

抱歉，这个我不知道怎么申请，另外这个主要是上游的漏洞，似乎不太适合吧。