From 4262c40cdba532b720ef8190a7f81770ab7f0c5b Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Mon, 8 Dec 2025 10:28:31 +0800 Subject: [PATCH] :lock: Fix Command Injection via PandocBin https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4r66-7rcv-x46x Signed-off-by: Daniel <845765@qq.com> --- kernel/util/pandoc.go | 65 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/kernel/util/pandoc.go b/kernel/util/pandoc.go index c8c465c54..ca0e6212a 100644 --- a/kernel/util/pandoc.go +++ b/kernel/util/pandoc.go @@ -211,6 +211,71 @@ func IsValidPandocBin(binPath string) bool { return false } + // 解析符号链接 + if real, err := filepath.EvalSymlinks(binPath); err == nil { + binPath = real + } + + // 文件信息检查 + fi, err := os.Stat(binPath) + if err != nil || fi.IsDir() || !fi.Mode().IsRegular() { + return false + } + + // 在 Unix 上要求拥有可执行权限 + if !gulu.OS.IsWindows() { + if fi.Mode().Perm()&0111 == 0 { + return false + } + } + + // 读取文件头判断是否为二进制并排除脚本(#!) + f, err := os.Open(binPath) + if err != nil { + return false + } + defer f.Close() + + header := make([]byte, 16) + n, _ := f.Read(header) + header = header[:n] + + // 拒绝以 shebang 开头的脚本 + if bytes.HasPrefix(header, []byte("#!")) { + return false + } + + isBin := false + // 常见二进制魔数:ELF, PE("MZ"), Mach-O/FAT + if len(header) >= 4 { + switch { + case bytes.Equal(header[:4], []byte{0x7f, 'E', 'L', 'F'}): + isBin = true // ELF + case bytes.Equal(header[:4], []byte{0xfe, 0xed, 0xfa, 0xce}): + isBin = true // Mach-O + case bytes.Equal(header[:4], []byte{0xce, 0xfa, 0xed, 0xfe}): + isBin = true // Mach-O (swapped) + case bytes.Equal(header[:4], []byte{0xca, 0xfe, 0xba, 0xbe}): + isBin = true // FAT + } + } + // PE only needs first 2 bytes "MZ" + if !isBin && len(header) >= 2 && bytes.Equal(header[:2], []byte{'M', 'Z'}) { + isBin = true + } + + // Windows 上允许 .exe 文件(作为补充判断) + if !isBin && gulu.OS.IsWindows() { + ext := strings.ToLower(filepath.Ext(binPath)) + if ext == ".exe" { + isBin = true + } + } + + if !isBin { + return false + } + cmd := exec.Command(binPath, "--version") gulu.CmdAttr(cmd) data, err := cmd.CombinedOutput()