SiYuan Full-Read Server-Side Request Forgery Vulnerability in Forward Proxy API Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in SiYuan versions prior to 3.6.0. The issue arises in the '/api/network/forwardProxy' endpoint, which allows authenticated users to make arbitrary HTTP requests from the server. The endpoint lacks proper URL validation, enabling requests to internal networks, localhost, or cloud metadata services. This vulnerability could be exploited to access internal resources or cloud credentials, bypassing firewall protections.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, cloud metadata and IAM credentials, data exfiltration using the server as a proxy, and bypassing firewall restrictions by originating requests from trusted internal IPs.

Reproduction

To reproduce this vulnerability, authenticate with an access auth code and copy the authenticated cookie. Then, send a POST request to the '/api/network/forwardProxy' endpoint, including the URL of a cloud metadata service in the request body. The response will contain the full data from the metadata service, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users are advised to update to SiYuan version 3.6.0 or later, where this vulnerability has been fixed.