Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-16 22:50:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034

Browse source
This commit is contained in:
Daniel 2025-06-16 10:31:04 +08:00
parent e64b486ea4
commit 8fff4b742e
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
3 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

7
kernel/api/file.go
View file

@ -380,7 +380,7 @@ func putFile(c *gin.Context) {
return return
} }
if !isValidFileName(fileAbsPath) { // Improve kernel API `/api/file/putFile` parameter validation https://github.com/siyuan-note/siyuan/issues/14658 if !util.IsValidUploadFileName(filepath.Base(fileAbsPath)) { // Improve kernel API `/api/file/putFile` parameter validation https://github.com/siyuan-note/siyuan/issues/14658
ret.Code = http.StatusBadRequest ret.Code = http.StatusBadRequest
ret.Msg = "invalid file path, please check https://github.com/siyuan-note/siyuan/issues/14658 for more details" ret.Msg = "invalid file path, please check https://github.com/siyuan-note/siyuan/issues/14658 for more details"
return return
@ -465,8 +465,3 @@ func millisecond2Time(t int64) time.Time {
msec := t % 1000 msec := t % 1000
return time.Unix(sec, msec*int64(time.Millisecond)) return time.Unix(sec, msec*int64(time.Millisecond))
} }
func isValidFileName(p string) bool {
name := filepath.Base(p)
return name == util.FilterUploadFileName(name)
}

16
kernel/api/system.go
View file

@ -26,6 +26,7 @@ import (
"github.com/88250/gulu" "github.com/88250/gulu"
"github.com/88250/lute" "github.com/88250/lute"
"github.com/88250/lute/html"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/siyuan-note/logging" "github.com/siyuan-note/logging"
"github.com/siyuan-note/siyuan/kernel/conf" "github.com/siyuan-note/siyuan/kernel/conf"
@ -165,10 +166,15 @@ func getEmojiConf(c *gin.Context) {
} else { } else {
for _, customEmoji := range customEmojis { for _, customEmoji := range customEmojis {
name := customEmoji.Name() name := customEmoji.Name()
if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") { if strings.HasPrefix(name, ".") {
continue continue
} }
if !util.IsValidUploadFileName(html.UnescapeString(name)) {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
logging.LogWarnf("invalid custom emoji name [%s]", name)
}
if customEmoji.IsDir() { if customEmoji.IsDir() {
// 子级 // 子级
subCustomEmojis, err := os.ReadDir(filepath.Join(customConfDir, name)) subCustomEmojis, err := os.ReadDir(filepath.Join(customConfDir, name))
@ -183,7 +189,13 @@ func getEmojiConf(c *gin.Context) {
} }
name = subCustomEmoji.Name() name = subCustomEmoji.Name()
if strings.HasPrefix(name, ".") || strings.ContainsAny(name, "<\"") { if strings.HasPrefix(name, ".") {
continue
}
if !util.IsValidUploadFileName(html.UnescapeString(name)) {
// XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034
logging.LogWarnf("invalid custom emoji name [%s]", name)
continue continue
} }

4
kernel/util/file.go
View file

@ -184,6 +184,10 @@ func IsCorruptedSYData(data []byte) bool {
return false return false
} }
func IsValidUploadFileName(name string) bool {
return name == FilterUploadFileName(name)
}
func FilterUploadFileName(name string) string { func FilterUploadFileName(name string) string {
ret := FilterFileName(name) ret := FilterFileName(name)