From 3c6b784ffd1480abe6ac79c205fca6651c00d3bb Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Mon, 2 Mar 2026 22:54:24 +0800
Subject: [PATCH] :lock:
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5vwq-4757-x99q

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/api/asset.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kernel/api/asset.go b/kernel/api/asset.go
index ee83f45c3..a6606cebb 100644
--- a/kernel/api/asset.go
+++ b/kernel/api/asset.go
@@ -65,6 +65,11 @@ func statAsset(c *gin.Context) {
 		return
 	}
 
+	if !util.IsAbsPathInWorkspace(p) {
+		ret.Code = 1
+		return
+	}
+
 	info, err := os.Stat(p)
 	if err != nil {
 		ret.Code = 1