[GH-ISSUE #5195] [Bug][Security] Markdown does not have any URI scheme restrictions #2299

New issue

Open

opened 2026-03-23 21:21:15 +00:00 by mirror · 0 comments

mirror commented

2026-03-23 21:21:15 +00:00

Owner

Originally created by @stypr on GitHub (Apr 23, 2024).
Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/5195

Bug Description

There doesn't seem to be a URI scheme validation when the URL is already set on the link.
This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory.
As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page.

It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution.

How to Reproduce

Opening `cmd.exe`

Create a new document with the following text

[Click Me](file:///C:\Windows\System32\calc.exe)

Convert it to the link -- You can remove ) and readd ) to make it to a link
Click on a link, Open link
Confirm that cmd is opened

Other possible deeplinks

[deeplink1](appflowy-flutter://#access_token=1234&refresh_token=1234)
[deeplink2](AppFlowy://12341234)
[deeplink3](calculator://1)

Expected Behavior

URL needs to be validated and needs to print Incorrect Link.

Operating System

Windows 11 x86_64

AppFlowy Version(s)

0.5.4

Screenshots

No response

Additional Context

No response

Originally created by @stypr on GitHub (Apr 23, 2024). Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/5195 ### Bug Description There doesn't seem to be a URI scheme validation when the URL is already set on the link. This makes it possible for attackers to make a malicious link that can open any kinds of URI on the client side, including any executables, deeplinks and files on the directory. As a result, an attacker can maliciously craft a payload to harm other users by leaving a link on the page. It may not sound exploitable at all, but if the victim's system has an application that has a vulnerability in the deeplink implementation, this issue can be leveraged to execute an arbitrary code execution. ### How to Reproduce ## Opening `cmd.exe` 1. Create a new document with the following text ``` [Click Me](file:///C:\Windows\System32\calc.exe) ``` 2. Convert it to the link -- You can remove `)` and readd `)` to make it to a link 3. Click on a link, Open link 4. Confirm that cmd is opened ![image](https://github.com/AppFlowy-IO/AppFlowy/assets/6625978/be3c9990-c4ae-4825-88d5-78c4b25ea3dd) ## Other possible deeplinks ``` [deeplink1](appflowy-flutter://#access_token=1234&refresh_token=1234) [deeplink2](AppFlowy://12341234) [deeplink3](calculator://1) ``` ### Expected Behavior URL needs to be validated and needs to print `Incorrect Link`. ### Operating System Windows 11 x86_64 ### AppFlowy Version(s) 0.5.4 ### Screenshots _No response_ ### Additional Context _No response_