Trilium: Arbitrary Code Execution

Created on 31 Jan 2019  路  3Comments  路  Source: zadam/trilium

Description: Importing tar file can lead to arbitrary code execution.

Reproduction Steps:

  1. Create a note Test and set the Type to Render HTML Note.
  2. Now create a child note and set the Type to HTML. Paste in the following code into the child note that you just created.
<script>top.require('child_process').exec('calc')</script>
  1. In the attributes of Test, set Type to Relation, Name to renderNote and Value to child note.
  2. If you click on parent note Test, you'll see a calculator pop up. If you are on Mac or Linux, replace 'calc' with any other shell command/program.
  3. You can export the Test note as a HTML which will give you a tar file. Now delete the Test note from the application.
  4. Import the tar file, you'll see a calculator pop up. So just by importing a tar file there's arbitrary code execution.

Fix: Disable nodeIntegration

Most helpful comment

Yes. This is actually not the only way to execute arbitrary code after import and in other cases disabling nodeIntegration would not help.

Trilium is designed to be scriptable which means the notes can execute code in both frontend and backend, can read the data, send them over the network etc. Importing a tar archive from an untrusted source is a dangerous thing to do.

But it's true that this should be better documented and emphasized. Maybe it also makes sense to add some kind of "safe import" which would deactivate all the execution hooks during the import.

All 3 comments

Yes. This is actually not the only way to execute arbitrary code after import and in other cases disabling nodeIntegration would not help.

Trilium is designed to be scriptable which means the notes can execute code in both frontend and backend, can read the data, send them over the network etc. Importing a tar archive from an untrusted source is a dangerous thing to do.

But it's true that this should be better documented and emphasized. Maybe it also makes sense to add some kind of "safe import" which would deactivate all the execution hooks during the import.

Yes, "safe import" sounds like a good idea.

Safe import implemented and released in 0.30

Was this page helpful?
0 / 5 - 0 ratings

Related issues

gerroon picture gerroon  路  6Comments

TTtrace picture TTtrace  路  5Comments

apg-dev picture apg-dev  路  5Comments

lerone-b picture lerone-b  路  6Comments

wwalc picture wwalc  路  3Comments