Pasting HTTP Request headers into code-block causes note to be deleted

Bug reports
1

Steps to reproduce

  1. Create a new note
  2. Create a code-block like this and set the type to text:
    (not sure text is needed but that’s how I did it)
GET /meteor/index.php?page=admin.php HTTP/1.1

Host: mountaindesserts.com

User-Agent: Mozilla/5.0 (X11; <?php echo system($_GET['cmd']); ?>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Referer: http://mountaindesserts.com/meteor/

Upgrade-Insecure-Requests: 1

Priority: u=0, i
  1. Remove the blank lines between each header.
  2. Wait a few seconds and boom, page is now gone.

Did you follow the troubleshooting guide?

Yes, I tried it in both my own vault and the sandbox vault, it happens consistently every single time.

Expected result

You should have a code-block containing the request headers.

Actual result

The page disappears after a few seconds.

Environment

SYSTEM INFO:
Obsidian version: v1.7.7
Installer version: v1.4.13
Operating system: Windows 10 Pro 10.0.19045
Login status: not logged in
Language: en
Insider build toggle: off
Live preview: on
Base theme: adapt to system
Community theme: none
Snippets enabled: 0
Restricted mode: on

RECOMMENDATIONS:
none

Additional information

I discovered this while studying for my OSCP exam (Offensive Security Certified Professional), the offending HTTP request contains a piece of php code which you might believe is malicious. Rest assured that the code contained there is perfectly safe.
The host is not a real website, it’s part of a lab environment which I was working in at the time.
I was merely trying to document my progress on a lab assignment.

Looking in the developer console (using Ctrl-shift-i) I see there was an error that looks like this:

Error: UNKNOWN: unknown error, open ‘C:\Users\K0iB1t\AppData\Roaming\obsidian\Obsidian Sandbox\Untitled.md’
(anonymous) @ app.js:1

Looking inside app.js, the error points to an undefined variable which I’ve highlighted for you with an arrow

case 1:
  return a.sent(),
  [3, 3];
case 2:
  return o = a.sent(), <------------------- Undefined
  console.error(o),
  [3, 3];
case 3:
  return this.inProgressTaskCount--,
  0 === this.inProgressTaskCount && this.didFinish(),
 [2]

This bug nearly caused me to lose several days worth of study notes. I’m now very scared to use your application to take notes as I will likely be pasting more offensive code and similar.
Thank goodness for the history function that I could use to retrieve the notes I had made up until the code-block.

Please don’t hesitate to email me if you need further information.
I’m also available on Discord should you wish to chat directly.
Best Regards
K0ib1t

2

It’s your antivirus that is detecting that note as threat and deleting it. You need to configure some exclusions.

3

You are indeed correct.

What’s funny (and frustrating) is that I did actually check the Virus & threat protection page in Windows Security before submitting this report and it just showed a green check-mark and 0 threats found since last scan. Digging into the logs I did manage to find events showing the file had been nuked. I guess this would fall under real-time protection rather than scheduled scanning. I still expected it to show up in the current threats section so that you can actually see the event but I digress.

I added an exclusion for my Obsidian vault and now the issue is fixed.
Thanks