Description: Importing tar file can lead to arbitrary code execution.
Reproduction Steps:
Test and set the Type to Render HTML Note.Type to HTML. Paste in the following code into the child note that you just created.<script>top.require('child_process').exec('calc')</script>
Test, set Type to Relation, Name to renderNote and Value to child note.Test, you'll see a calculator pop up. If you are on Mac or Linux, replace 'calc' with any other shell command/program.Test note as a HTML which will give you a tar file. Now delete the Test note from the application.tar file, you'll see a calculator pop up. So just by importing a tar file there's arbitrary code execution.Fix: Disable nodeIntegration
Yes. This is actually not the only way to execute arbitrary code after import and in other cases disabling nodeIntegration would not help.
Trilium is designed to be scriptable which means the notes can execute code in both frontend and backend, can read the data, send them over the network etc. Importing a tar archive from an untrusted source is a dangerous thing to do.
But it's true that this should be better documented and emphasized. Maybe it also makes sense to add some kind of "safe import" which would deactivate all the execution hooks during the import.
Yes, "safe import" sounds like a good idea.
Safe import implemented and released in 0.30
Most helpful comment
Yes. This is actually not the only way to execute arbitrary code after import and in other cases disabling nodeIntegration would not help.
Trilium is designed to be scriptable which means the notes can execute code in both frontend and backend, can read the data, send them over the network etc. Importing a tar archive from an untrusted source is a dangerous thing to do.
But it's true that this should be better documented and emphasized. Maybe it also makes sense to add some kind of "safe import" which would deactivate all the execution hooks during the import.