SiYuan Broken Access Control Vulnerability in Publish-Mode Readers Allows Metadata Enumeration

A broken access control vulnerability has been identified in SiYuan versions prior to 3.7.0. This issue allows publish-mode Readers to access metadata from documents that are not visible to the publish service. The vulnerability is present in the searchAsset, searchTag, searchWidget, and searchTemplate endpoints, which can be exploited to enumerate metadata across the entire workspace, including tags, asset filenames, widget names, and template names. This exposure violates the trust boundary of the publish service, as users can designate notebooks to be invisible to publish, specifically to protect this metadata from public access.

Impact

Exploitation of this vulnerability allows a publish-service Reader to access and enumerate all tags, asset filenames, widget names, and template names within the workspace, including those from publish-private notebooks. This breach of the publish-service trust boundary exposes metadata that users intentionally marked as invisible to publish.

Reproduction

To reproduce this vulnerability, first enable the SiYuan publish service and obtain a 'RoleReader' JWT from the publish reverse-proxy. Authenticate as the Reader against the publish port. Then, send a POST request to the '/api/search/searchTag' or '/api/search/searchAsset' endpoint, including the 'Authorization' header with the 'RoleReader' JWT. The response will include all tags or asset filenames from the entire workspace, disregarding any publish visibility settings.

Remediation

Users can update to SiYuan version 3.7.0 or later, where this vulnerability has been fixed.