SiYuan Personal Knowledge Management System Arbitrary File Read Vulnerability

A vulnerability in SiYuan personal knowledge management system allows for arbitrary file reading. In versions through 3.6.0, the desktop application copies local files referenced by file:// links in pasted HTML into the workspace assets directory. This transfer occurs without validating the file paths against a list of sensitive directories. Once the files are in the assets directory, they can be accessed through a GET request, exfiltrating sensitive information. The vulnerability arises because the application fails to check for sensitive paths before copying files, enabling the retrieval of any readable file, such as those in the /etc or Windows System32 directories.

Impact

Exploitation of this vulnerability allows authenticated users, including those with publish-service visitor roles, to read any sensitive file accessible by the application on the user's machine. This could include critical system files, network configuration files, or credential files, thereby compromising the confidentiality of sensitive data and the overall runtime environment.

Reproduction

To reproduce this vulnerability, paste HTML containing file:// links to sensitive local files into a SiYuan document on the desktop application. Ensure that the links point to files within sensitive-path prefixes, such as '/etc' or 'C:\Windows\System32'. After the files are copied into the workspace assets directory, extract the asset file paths from the returned DOM and use a GET request to retrieve the file contents.

Remediation

Users can update to SiYuan version 3.6.1, which addresses this vulnerability by implementing proper path validation before copying files into the assets directory.