Just for fun, I wrote this, and the source code is completely open on github. I prefer to implement obsidian's note citation function, so I may implement it later.
That's very cool, but also just a little bit scary. The fact that an externally served website can somehow read the information I have in Joplin? How does that work?
Because two api joplin did not add token verification, because web clipper uses them
- I really hope that as a minimum this is running in my browser only,
- Even so how can the app access my Joplin tag data without the authorisation token?
- What's to stop a version of this script hoovering up other data from Joplin?
- And, what's to stop the app being modified to send any of this data home (if it does not already)?
Any comments / reassurance regarding this?
- Yes, only websites running on your computer browser can be accessed, unless you allow public Internet access and you have a public IP (normal users will not have)
- This is to facilitate the third-party plug-in to realize the function of cutting and saving web pages to joplin @laurent
- Use user.js to block the browser or joplin to modify the api authentication
- There is no guarantee. In theory, malicious websites can automatically add any number of junk notes
In fact, this is essentially a trade-off between safety and convenience. Although I personally think this approach is problematic, I don't have much motivation to modify it. . .
So, in theory, a version of your app could be deployed on a malicious website inject data using the unprotected webclipper service. Could it extract everything as well?
Regardless, surely that is not a "trade off", that is a huge security vulnerability.
I have switched the webclipper service off and will wait for some input from @laurent.
This has been discussed many times before. No, notes cannot be read, modified or deleted. Yes tags and folders can currently be read, but not modified or deleted. Eventually we might enforce a login process on the clipper.
Obviously my searching let me down.
It was the "In theory, malicious websites can automatically add any number of junk notes" comment that concerned me. Thanks for the clarification.
Still a tad concerned that anyone can place an app on an Internet website that can read data from Joplin on my machine, albeit just tags (and how many times they have been used) and folder names, without any form of permission or authentication.
Joplin is not popular enough to be targeted in that way. If someone's going to deploy an exploit they would target apps used by millions of people, not an open source app with a clipper server that may or may not be enabled, just to get some tag or folder names. But I'm aware this is a trade off which might have to be looked at, at some point.
When the clipper was released and from time to time afterwards, the topic of how to implement the authentication workflows comes up. For example:
You didn't have to list any posts! I really did mean that my searching let me down
I did however have a look through them. In addition to reading tags and folders,
['POST', 'notes'] appears to be another allowed method. So, is @rxliuli 's comment that a malicious actor could create a similar web-based app that delivers a payload of notes (or just a single note) into Joplin technically correct?
Yes, as far as I know web clipper can create notes (without token...)
The reason why no problems have occurred is that joplin is not popular enough, but things that may happen will always happen. I will demonstrate how the website creates a large number of junk notes (will be placed in a test directory)
Please note that the web clipper is only bound to localhost. No external traffic is able to connect.
I created a page, the demo website can create notes directly, if I want to, I can read all directories, and create any number of junk notes in the directory (here will create a note in the first notebook in the root directory, name For
test title) @tessus
If necessary, go to another post for discussion
You did not understand what I was saying. When the web clipper runs on machine A, only processes that run on machine A and have access to the loopback adapter (127.0.0.1) can connect to the web clipper.
So even if the machine were connected to the Internet without a firewall, nobody could connect to the web clipper.
Sorry to go on about this but I don't have the knowledge about these things that you do. Could you clarify something for me?
@rxliuli post above states,
I created a page, the demo website can create notes directly, if I want to, I can read all directories, and create any number of junk notes in the directory
and provides a link to the app.
You state that as the webclipper service is bound to localhost external apps cannot access the webclipper service. Fair enough, understood.
I set up a test machine with Joplin and with the webclipper service running. I followed the link and no note was created. However each time I clicked the link the file log-clipper.txt recorded an entry that looked like this
2020-10-29 16:02:00: "Request: GET /folders?token=" (that is a complete entry)
If @rxliuli 's app cannot communicate with the webclipper service because it only communicates through localhost, how can the service record a log entry? I think I am missing something obvious here!!!