High severityNVD Advisory· Published Dec 11, 2024· Updated Dec 12, 2024
SiYuan has an arbitrary file read and path traversal via /api/export/exportResources
CVE-2024-55658
Description
SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20241210012039-5129ad926a21 | — |
Affected products
1- Range: < 3.1.16
Patches
1e70ed57f6e48:lock: Some security vulnerabilities https://github.com/siyuan-note/siyuan/issues/13426
5 files changed · +28 −1
kernel/api/template.go+6 −0 modified@@ -80,6 +80,12 @@ func renderTemplate(c *gin.Context) { return } + if !util.IsAbsPathInWorkspace(p) { + ret.Code = -1 + ret.Msg = "Path [" + p + "] is not in workspace" + return + } + preview := false if previewArg := arg["preview"]; nil != previewArg { preview = previewArg.(bool)
kernel/model/export.go+7 −1 modified@@ -532,7 +532,13 @@ func ExportResources(resourcePaths []string, mainName string) (exportFilePath st // 将需要导出的文件/文件夹复制到临时文件夹 for _, resourcePath := range resourcePaths { - resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径 + resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径 + if !util.IsAbsPathInWorkspace(resourceFullPath) { + logging.LogErrorf("resource path [%s] is not in workspace", resourceFullPath) + err = errors.New("resource path [" + resourcePath + "] is not in workspace") + return + } + resourceBaseName := filepath.Base(resourceFullPath) // 资源名称 resourceCopyPath := filepath.Join(exportFolderPath, resourceBaseName) // 资源副本完整路径 if err = filelock.Copy(resourceFullPath, resourceCopyPath); err != nil {
kernel/model/upload.go+5 −0 modified@@ -132,6 +132,11 @@ func Upload(c *gin.Context) { if nil != form.Value["assetsDirPath"] { relAssetsDirPath = form.Value["assetsDirPath"][0] assetsDirPath = filepath.Join(util.DataDir, relAssetsDirPath) + if !util.IsAbsPathInWorkspace(assetsDirPath) { + ret.Code = -1 + ret.Msg = "Path [" + assetsDirPath + "] is not in workspace" + return + } } if !gulu.File.IsExist(assetsDirPath) { if err = os.MkdirAll(assetsDirPath, 0755); err != nil {
kernel/treenode/template.go+6 −0 modified@@ -31,6 +31,12 @@ import ( func BuiltInTemplateFuncs() (ret template.FuncMap) { ret = sprig.TxtFuncMap() + + // 因为安全原因移除一些函数 https://github.com/siyuan-note/siyuan/issues/13426 + delete(ret, "env") + delete(ret, "expandenv") + delete(ret, "getHostByName") + ret["Weekday"] = util.Weekday ret["WeekdayCN"] = util.WeekdayCN ret["WeekdayCN2"] = util.WeekdayCN2
kernel/util/path.go+4 −0 modified@@ -302,3 +302,7 @@ func GetAbsPathInWorkspace(relPath string) (string, error) { } return "", os.ErrPermission } + +func IsAbsPathInWorkspace(absPath string) bool { + return IsSubPath(WorkspaceDir, absPath) +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-25w9-wqfq-gwqxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-55658ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqxghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3323ghsaWEB
News mentions
0No linked articles in our index yet.