SiYuan Personal Knowledge Management System Arbitrary File Read Vulnerability

A logic vulnerability has been identified in SiYuan personal knowledge management system versions prior to 3.5.4. The issue resides in the '/api/file/globalCopyFiles' endpoint, where authenticated users can copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability arises because, while the function checks if the source file exists, it fails to ensure that the source path is within the authorized workspace directory. This flaw allows for arbitrary file reading, including sensitive system and configuration files.

Impact

Exploitation of this vulnerability allows authenticated users to read arbitrary files from the server, bypassing directory restrictions. This could lead to unauthorized access to sensitive information, such as configuration files containing secrets or system files like '/etc/passwd'.

Reproduction

To reproduce this vulnerability, send a request to the '/api/file/globalCopyFiles' endpoint with a list of source paths that includes sensitive files, such as '/etc/passwd'. The server will copy these files into the application's workspace, where they can be accessed as legitimate assets.

Remediation

Users can update to SiYuan version 3.5.4, which addresses this vulnerability by implementing proper path validation in the file copy function.