Potential cross-site scripting risk due to interaction with DataviewJS or other code execution plugins

Question

Potential cross-site scripting risk due to interaction with DataviewJS or other code execution plugins

tzhouhc opened this issue 3 years ago · 4 comments

user Jezza#2463 in the Obsidian discord reported that:

So I just discovered something by accident. Federico from MacStories had a post this week that showcased some Dataview Snippets. I have Obsidian RSS installed so I read the article in Obsidian. To my surprise, the Dataview code snippet that he shared rendered in the article with content from MY VAULT. It makes me think that an RSS feed could be a great way for plugin developers with querying capabilities to deliver interesting snippets to the users of the plugin and have it demo with content from their vault. I thought this was pretty cool.

I am not subscribed to the paid RSS feed in question, so I am unable to personally verify the effect. Assuming it's indeed the case, I would further assume that the downloaded content are somewhat markdown-ified and rendered as native Obsidian markdown content, which brings about this effect.

As nice as this seems, if Obsidian-RSS enables execution of DQL queries of content from RSS feeds, then it probably can run DVJS as well, which would have arbitrary code execution power that carries over to any computer that has DataviewJS enabled, and is subscribed to a potentially malicious actor's RSS feed.

I don't know if there's anything that Obsidian-RSS either should or can do about the potentially malicious 3rd party content, though I believe it's probably still useful to have this issue noted here. Last I heard the author of Dataview has already been notified of the matter, so there's at least that.

Answer 1 · 2022-01-15T00:59:10.000Z

I see this has already prompted an issue to Dataview! 👍

Answer 2 · 2022-01-15T07:52:52.000Z

When filling that issue I did not even think about the implications that that would be XSS.

As a fix the next version of the plugin will wrap all code blocks that could run plugin code in a <pre>, disabling execution while still rendering a somewhat nice looking version.

On that note, do you happen to know of any other plugins beside Dataview and Templater that could lead to this behavior?
Or an API I could retrieve a list of all registered MarkdownCodeBlockProcessors(language would be enough) from?

Answer 3 · 2022-01-15T09:07:25.000Z

This exact XSS Attack vector should now be closed as of v1.0.3
To test you can use the test feed at https://ghost.joethei.de/:
https://ghost.joethei.de/rss

Answer 4 · 2022-01-15T09:49:09.000Z

Verified that the RSS page with dataviewjs scripts does not trigger dataview or dataviewjs.
Sadly the other questions I don't have answer too -- you might need to ask Licat.

Thank you for the fast patches!