Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-03-07 21:22:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h2p-mvfx-868w

Browse source 
Signed-off-by: Daniel <845765@qq.com>
This commit is contained in:
Daniel 2026-03-06 16:41:03 +08:00
parent da6720e8f9
commit 6feb2bc8ec
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
kernel/server/serve.go
View file

@ -318,6 +318,11 @@ func serveExport(ginServer *gin.Engine) {
} }
fullPath := filepath.Join(exportBaseDir, decodedPath) fullPath := filepath.Join(exportBaseDir, decodedPath)
if util.IsSensitivePath(fullPath) {
logging.LogErrorf("refuse to export sensitive file [%s]", c.Request.URL.Path)
c.Status(http.StatusForbidden)
return
}
fileInfo, err := os.Stat(fullPath) fileInfo, err := os.Stat(fullPath)
if os.IsNotExist(err) { if os.IsNotExist(err) {

6
kernel/util/path.go
View file

@ -391,6 +391,12 @@ func IsSensitivePath(p string) bool {
} }
} }
// 工作空间/conf 目录(小写比较)
workspaceConfPrefix := strings.ToLower(filepath.Join(WorkspaceDir, "conf"))
if strings.HasPrefix(pp, workspaceConfPrefix) {
return true
}
homePrefixes := []string{ homePrefixes := []string{
strings.ToLower(filepath.Join(HomeDir, ".ssh")), strings.ToLower(filepath.Join(HomeDir, ".ssh")),
strings.ToLower(filepath.Join(HomeDir, ".config")), strings.ToLower(filepath.Join(HomeDir, ".config")),