The issue has been closed

Paste the content that caused the boostnote to jam #3031

maojunxyz posted onGitHub

Current behavior

I saw a copy of the XSS test on the webpage and I want to save it.This is what I have visited. https://www.freebuf.com/articles/web/153055.html

I plan to copy a large amount of content from the web page into the boostnote, but since the pasted content has about 1000 lines, when it is coping into the boostnote, it is stuck and causes the CPU to rise.This text is what I tried to save. https://gist.github.com/imaojun/a0281ae73c9fa9ce77b43597f253a918

When the boostnote was stuck, I killed it and I repeated it many times and encountered the problem mentioned above.

Expected behavior

Copy and paste normally.

Steps to reproduce

make a markdown note
Copy content from a webpage https://gist.github.com/imaojun/a0281ae73c9fa9ce77b43597f253a918
Paste into the note

Environment

Version :Boostnote 0.11.15
OS Version and name : Archlinux

After copying & pasting your content partly like 10 rows at a time I've found the location where BoostNote is crashing.

If you paste the following line the app will crash: <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe

It's located in chapter 3 in the following line.

I need to do more debugging what's happening here. I tested it on master.

posted by AWolf81 almost 6 years ago

OK, I did some work for debugging this. It was pretty difficult to debug but I did it by testing multiple different test strings and it looks like a regex has a problem with the multiple a letters.

I've tested the following inputs:

crashes
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href="">ClickMe

no crash
<a href="">ClickMe
<a aa href="">ClickMe
<a aa aaa href="">ClickMe
<a aa aaa aaaa href="">ClickMe
<a aa aaa aaaa aaaaa href="">ClickMe
<a aa aaa aaaa aaaaa aaaaaa href="">ClickMe

almost crashing & paste displayed with a lag - then app is really slow & almost crashes
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa href="">ClickMe

crashes (no text rendered - close app & restart required)
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa href="">ClickMe

The "almost" crashing from above <a aa aaa aaaa aaaaa aaaaaa aaaaaaa href="">ClickMe is really useful as debugging with performance profiling is possible and I got the following profile: grafik

sanitizeInline in markdown-it-sanitize-html.js is running really long - not sure how to fix it or why it's taking that long but there is a while loop that could cause the problem. Why is the loop there?

posted by AWolf81 almost 6 years ago

I believe you are pasting code that represents a Quadratic Blowup. The command causing problems is designed to take a substantial amount of time to run in the style of an XML External Entity attack.

https://en.wikipedia.org/wiki/Billion_laughs_attack https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/

The way these attacks work is by structuring requests that take a very very long time to execute.

I'm not too sure what the appropriate measures should be to prevent a User from pasting a code that represents an attack into their own program.

posted by MiloTodt almost 6 years ago