1.4.11 patched the plugin again

[winneratwin]

line 1056 of main.js when ran through js-beautify

e.onBeforeRequest = r, e.onBeforeSendHeaders = r, e.onHeadersReceived = r;

r being a function which returns !1

[acheong08]

That's annoying...

Will debug

[acheong08]

line 1056 of main.js when ran through js-beautify

Where is this main.js?

[winneratwin]

Where is this main.js?

in the obsidian.asar file located at /usr/lib/obsidian/obsidian.asar on linux
extracted it using npx asar extract 1_4_11_app.asar 1_4_11_app.asar.out

[acheong08]

Weird that I only see app.js but not main.js.

[winneratwin]

this is the contents of the extracted asar for me

-rw-r--r-- 1 winner winner  392564 Sep 12 01:20 app.css
-rw-r--r-- 1 winner winner 5651151 Sep 12 01:45 app.js
-rw-r--r-- 1 winner winner   20713 Sep 12 01:52 enhance.js
-rw-r--r-- 1 winner winner     580 Sep 12 01:20 help.html
-rw-r--r-- 1 winner winner  299659 Sep 12 01:51 help.js
-rw-r--r-- 1 winner winner   29937 Sep 12 01:20 icon.png
-rw-r--r-- 1 winner winner    1269 Sep 12 01:20 index.html
drwxr-xr-x 6 winner winner    4096 Sep 12 01:20 lib
-rw-r--r-- 1 winner winner   43994 Sep 12 01:24 main.js
-rw-r--r-- 1 winner winner     320 Sep 12 01:20 package.json
-rw-r--r-- 1 winner winner      77 Sep 12 01:20 package-lock.json
drwxr-xr-x 4 winner winner    4096 Sep 12 01:20 public
drwxr-xr-x 5 winner winner    4096 Sep 12 01:20 sandbox
-rw-r--r-- 1 winner winner   17679 Sep 12 01:20 sim.js
-rw-r--r-- 1 winner winner     583 Sep 12 01:20 starter.html
-rw-r--r-- 1 winner winner  378050 Sep 12 01:25 starter.js
-rw-r--r-- 1 winner winner  225705 Sep 12 01:20 worker.js

[acheong08]

Ah. I was looking from electron's sources menu. Weird that it isn't included there.

[acheong08]

Considering this is already broken on mobile and there are no impediments to editing obsidian.asar directly on Desktop, I think that is a much easier solution than spending hours to patch it while limited to a plugin. It should be possible to make a GitHub workflow to automatically patch and release "vulnerable" versions of ObsidianMD

[acheong08]

Looks like they also intentionally added some code to detect when the websocket URL is wrong

[acheong08]

if (!HJ.call(u, ".obsidian.md") && "127.0.0.1" !== u)
                                return s(new Error("Unable to connect to server."));

"Unable to connect to server". What a misleading error message...

[acheong08]

• The path forward #29

[truongmanhsang]

I think we need a separate tool to capture system request and return custom response 😆

[ShiinaRinne]

I think we need a separate tool to capture system request and return custom response 😆

This is my simple attempt using Fiddler at 1.4.13:

OnBeforeRequest

if(oSession.host.EndsWith("api.obsidian.md")){
    oSession["ui-backcolor"] = "yellow"; 
    oSession.fullUrl = oSession.fullUrl.Replace("api.obsidian.md", "example.com");
}

Then manually enter this.host="api.obsidian.md" in the console before executing this function, so that it can continue working

---

Btw, I attempted this modification in OnBeforeResponse, but it did not take effect.
I haven't studied web and js, so I'm not sure what changes should be made, I hope that's helped

OnBeforeResponse

if(oSession.host.EndsWith("example. com")){
    oSession["ui-backcolor"] = "blue"; 
    oSession.host="api.obsidian.md";
    oSession.fullUrl = oSession.fullUrl.Replace("example.com", "api.obsidian.md");
}

[acheong08]

@ShiinaRinne I'm currently working on https://github.com/acheong08/obi-sync-lib which should fix the issue.

It'll take a few weeks but once that is done, Obsidian should no longer be able to patch the plugin without causing significant issues with other legit plugins