From 6feb2bc8ec2dc2d58d62faad68caeec705dbf62d Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Fri, 6 Mar 2026 16:41:03 +0800
Subject: [PATCH] :lock:
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/server/serve.go | 5 +++++
 kernel/util/path.go    | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/kernel/server/serve.go b/kernel/server/serve.go
index 94897546f..81a217e23 100644
--- a/kernel/server/serve.go
+++ b/kernel/server/serve.go
@@ -318,6 +318,11 @@ func serveExport(ginServer *gin.Engine) {
 		}
 
 		fullPath := filepath.Join(exportBaseDir, decodedPath)
+		if util.IsSensitivePath(fullPath) {
+			logging.LogErrorf("refuse to export sensitive file [%s]", c.Request.URL.Path)
+			c.Status(http.StatusForbidden)
+			return
+		}
 
 		fileInfo, err := os.Stat(fullPath)
 		if os.IsNotExist(err) {
diff --git a/kernel/util/path.go b/kernel/util/path.go
index c60d1eec1..6e45255bf 100644
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@@ -391,6 +391,12 @@ func IsSensitivePath(p string) bool {
 		}
 	}
 
+	// 工作空间/conf 目录（小写比较）
+	workspaceConfPrefix := strings.ToLower(filepath.Join(WorkspaceDir, "conf"))
+	if strings.HasPrefix(pp, workspaceConfPrefix) {
+		return true
+	}
+
 	homePrefixes := []string{
 		strings.ToLower(filepath.Join(HomeDir, ".ssh")),
 		strings.ToLower(filepath.Join(HomeDir, ".config")),