Denial of Service in actionPandoc.

[y0d3n]

Summary

It takes advantage of the fact that the property of req.query.xxx can be overridden. (Implicit in outputFormats[exportType], toString is performed on variables such as exportType.)

lib/note/noteActions.js#L136 is inside the async function and outside try/catch, so an error here will stop the entire application.

https://github.com/hackmdio/codimd/blob/cc78023d98658302f6ea5ca2a8ca18f60acf0760/lib/note/noteActions.js#L135-L136

Step to reproduce

1. Create a Note and get the ID from the URL Here it is http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw
2. access http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw/pandoc?exportType[toString]=test Please replace ID accordingly

TypeError: Cannot convert object to primitive value at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36) at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7) 2024-01-03T15:32:10.225Z error: An uncaught exception has occured. 2024-01-03T15:32:10.225Z error: Cannot convert object to primitive value TypeError: Cannot convert object to primitive value at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36) at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7) { level: 'error', timestamp: '2024-01-03T15:32:10.225Z',

[Symbol(message)]: '2024-01-03T15:32:10.225Z error: \tCannot convert object to primitive value' } 2024-01-03T15:32:10.226Z error: Process will exit now.

Suggested fix

Include the problematic part in the try/catch for proper error handling.

[y0d3n]

Good correction. Can I request CVE number for this vulnerability?

[a60814billy]

Hi @y0d3n, Sure thing!