SiYuan Personal Knowledge Management System File Read Interface Case Bypass Vulnerability

A file read interface case bypass vulnerability has been identified in SiYuan personal knowledge management system versions 3.5.4 and prior to 3.5.5. The vulnerability exists in the '/api/file/getFile' endpoint, which employs case-sensitive string equality checks to restrict access to sensitive files. On case-insensitive file systems like Windows, attackers can exploit this by using mixed-case paths to bypass these restrictions and access protected configuration files. The issue arises because path comparisons are strictly case-sensitive, lacking case normalization or validation against identical files.

Impact

Exploitation of this vulnerability allows unauthorized reading of sensitive information from configuration files, such as access codes, API tokens, and sync configurations. This vulnerability is also remotely exploitable if the service is published without authentication.

Reproduction

To reproduce this vulnerability, publish the SiYuan service without authentication. Then, send a POST request to the '/api/file/getFile' endpoint with a mixed-case file path that targets a sensitive configuration file, such as 'cOnf/conf.json'. The response should include the contents of the requested file, demonstrating the successful bypass of access restrictions.

Remediation

Users can update to SiYuan version 3.5.5, which addresses this vulnerability by implementing case normalization in path comparisons and applying blacklist validation on sensitive paths after normalization.