High severityNVD Advisory· Published Dec 11, 2024· Updated Dec 12, 2024
SiYuan has an arbitrary file write in the host via /api/asset/upload
CVE-2024-55659
Description
SiYuan is a personal knowledge management system. Prior to version 3.1.16, the /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20241210012039-5129ad926a21 | — |
Affected products
1- Range: < 3.1.16
Patches
1e70ed57f6e48:lock: Some security vulnerabilities https://github.com/siyuan-note/siyuan/issues/13426
5 files changed · +28 −1
kernel/api/template.go+6 −0 modified@@ -80,6 +80,12 @@ func renderTemplate(c *gin.Context) { return } + if !util.IsAbsPathInWorkspace(p) { + ret.Code = -1 + ret.Msg = "Path [" + p + "] is not in workspace" + return + } + preview := false if previewArg := arg["preview"]; nil != previewArg { preview = previewArg.(bool)
kernel/model/export.go+7 −1 modified@@ -532,7 +532,13 @@ func ExportResources(resourcePaths []string, mainName string) (exportFilePath st // 将需要导出的文件/文件夹复制到临时文件夹 for _, resourcePath := range resourcePaths { - resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径 + resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径 + if !util.IsAbsPathInWorkspace(resourceFullPath) { + logging.LogErrorf("resource path [%s] is not in workspace", resourceFullPath) + err = errors.New("resource path [" + resourcePath + "] is not in workspace") + return + } + resourceBaseName := filepath.Base(resourceFullPath) // 资源名称 resourceCopyPath := filepath.Join(exportFolderPath, resourceBaseName) // 资源副本完整路径 if err = filelock.Copy(resourceFullPath, resourceCopyPath); err != nil {
kernel/model/upload.go+5 −0 modified@@ -132,6 +132,11 @@ func Upload(c *gin.Context) { if nil != form.Value["assetsDirPath"] { relAssetsDirPath = form.Value["assetsDirPath"][0] assetsDirPath = filepath.Join(util.DataDir, relAssetsDirPath) + if !util.IsAbsPathInWorkspace(assetsDirPath) { + ret.Code = -1 + ret.Msg = "Path [" + assetsDirPath + "] is not in workspace" + return + } } if !gulu.File.IsExist(assetsDirPath) { if err = os.MkdirAll(assetsDirPath, 0755); err != nil {
kernel/treenode/template.go+6 −0 modified@@ -31,6 +31,12 @@ import ( func BuiltInTemplateFuncs() (ret template.FuncMap) { ret = sprig.TxtFuncMap() + + // 因为安全原因移除一些函数 https://github.com/siyuan-note/siyuan/issues/13426 + delete(ret, "env") + delete(ret, "expandenv") + delete(ret, "getHostByName") + ret["Weekday"] = util.Weekday ret["WeekdayCN"] = util.WeekdayCN ret["WeekdayCN2"] = util.WeekdayCN2
kernel/util/path.go+4 −0 modified@@ -302,3 +302,7 @@ func GetAbsPathInWorkspace(relPath string) (string, error) { } return "", os.ErrPermission } + +func IsAbsPathInWorkspace(absPath string) bool { + return IsSubPath(WorkspaceDir, absPath) +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fqj6-whhx-47p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-55659ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3326ghsaWEB
News mentions
0No linked articles in our index yet.