Headline
CVE-2023-35174: Merge pull request from GHSA-564w-97r7-c6p9 · livebook-dev/livebook@2e11b59
Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a livebook:// link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim’s machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.
Expand Up
@@ -300,6 +300,25 @@ defmodule Livebook.Utils do
“data:#{mime};base64,#{data}”
end
@doc “"”
Expands URL received from the Desktop App for opening in the browser.
“"”
def expand_desktop_url(“”) do
LivebookWeb.Endpoint.access_url()
end
def expand_desktop_url(“/settings”) do
to_string(%{LivebookWeb.Endpoint.access_struct_url() | path: "/settings"})
end
def expand_desktop_url(“file://” <> path) do
notebook_open_url(path)
end
def expand_desktop_url(“livebook://” <> rest) do
notebook_import_url(“https://#{rest}”)
end
@doc “"”
Opens the given `url` in the browser.
“"”
Expand All
@@ -316,10 +335,15 @@ defmodule Livebook.Utils do
{:unix, _} ->
cond do
System.find_executable(“xdg-open”) -> {"xdg-open", [url]}
System.find_executable(“xdg-open”) ->
{"xdg-open", [url]}
# When inside WSL
System.find_executable(“cmd.exe”) -> {"cmd.exe", win_cmd_args}
true -> nil
System.find_executable(“cmd.exe”) ->
{"cmd.exe", win_cmd_args}
true ->
nil
end
end
Expand Down
Related news
On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.