Description

SiYuan: Publish Reader Path Traversal Delete via removeUnusedAttributeView

Summary

The endpoint /api/av/removeUnusedAttributeView is vulnerable to a path traversal (CWE-22) that allows an attacker to delete arbitrary .json files on the server.

The issue arises because user-controlled input (id) is directly used in filesystem path construction without validation or restriction.

Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.

Steps To Reproduce

Ensure the target instance has the publish service enabled (or any valid access to the endpoint).

Send the following request:

POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <target>
Content-Type: application/json

{
  "id": "../../../conf/conf"
}

Observe that the request is accepted.

The server resolves the path outside the intended directory and deletes the target file.

Impact

An attacker can delete arbitrary .json files within the workspace directory.

This may lead to:

Deletion of global configuration files (e.g., conf/conf.json)

Loss of user data and application state

Corruption of workspace metadata

Persistent application instability or forced recovery

This represents a server-side arbitrary file deletion primitive, which can have severe impact depending on the targeted files.

Technical Details

The vulnerable code constructs file paths as follows:

filepath.Join(util.DataDir, "storage", "av", id+".json")

Because id is not validated, attackers can inject path traversal sequences such as ../ to escape the intended directory.

Example payloads

../local → data/storage/local.json

../../storage/outline → data/storage/outline.json

../../../conf/conf → conf/conf.json

No validation or restriction is applied to:

input format

path normalization

directory boundaries

Root Cause

Untrusted user input (id) is directly used in filesystem path construction

No input validation or sanitization

No enforcement that the resolved path stays within the intended directory

Remediation

Validate input strictly

Only allow valid Attribute View IDs

Reject any input containing path traversal sequences

Enforce directory boundaries

base := filepath.Join(util.DataDir, "storage", "av")
absPath := filepath.Join(base, id+".json")

if !util.IsSubPath(base, absPath) {
    return error
}

Normalize paths before use

Ensure canonical paths cannot escape the base directory

Add additional logical checks

Verify that the target object is valid and allowed to be deleted

Mitigation

Aliases

References