🔒 Arbitrary file reading vulnerability https://github.com/siyuan-note/siyuan/issues/16860

Signed-off-by: Daniel <845765@qq.com>
2026-01-19 14:56:09 +01:00 · 2026-01-18 17:23:26 +08:00 · 2026-01-18 17:23:26 +08:00 · b2274baba2
commit b2274baba2
parent f922745aa7
3 changed files with 118 additions and 3 deletions
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@ -347,3 +347,95 @@ func IsPartitionRootPath(path string) bool {
 		return cleanPath == "/"
 	}
 }
+
+// IsSensitivePath 对传入路径做统一的敏感性检测。
+func IsSensitivePath(p string) bool {
+	if p == "" {
+		return false
+	}
+	pp := filepath.Clean(strings.ToLower(p))
+
+	// 精确敏感文件
+	exact := []string{
+		"/etc/passwd",
+		"/etc/shadow",
+		"/etc/gshadow",
+		"/var/run/secrets/kubernetes.io/serviceaccount/token",
+	}
+	for _, e := range exact {
+		if pp == e {
+			return true
+		}
+	}
+
+	// 敏感目录前缀（UNIX 风格）
+	prefixes := []string{
+		"/etc/ssh",
+		"/root",
+		"/etc/ssl",
+		"/etc/letsencrypt",
+		"/var/lib/docker",
+		"/.gnupg",
+		"/.ssh",
+		"/.aws",
+		"/.kube",
+		"/.docker",
+		"/.config/gcloud",
+	}
+	for _, pre := range prefixes {
+		if strings.HasPrefix(pp, pre) {
+			return true
+		}
+	}
+
+	// Windows 常见敏感目录（小写比较）
+	winPrefixes := []string{
+		`c:\windows\system32`,
+		`c:\windows\system`,
+		`c:\users\`,
+	}
+	for _, wp := range winPrefixes {
+		if strings.HasPrefix(pp, strings.ToLower(wp)) {
+			return true
+		}
+	}
+
+	// 文件名级别检查
+	base := filepath.Base(pp)
+	n := strings.ToLower(base)
+	sensitiveNames := map[string]struct{}{
+		".env":            {},
+		".env.local":      {},
+		".npmrc":          {},
+		".netrc":          {},
+		"id_rsa":          {},
+		"id_dsa":          {},
+		"id_ecdsa":        {},
+		"id_ed25519":      {},
+		"authorized_keys": {},
+		"passwd":          {},
+		"shadow":          {},
+		"pgpass":          {},
+		"credentials":     {}, // 如 aws credentials
+		"config.json":     {}, // docker config.json 可能含 token
+	}
+	if _, ok := sensitiveNames[n]; ok {
+		return true
+	}
+	// 支持 .env.* 之类的模式
+	if n == ".env" || strings.HasPrefix(n, ".env.") {
+		return true
+	}
+
+	// 扩展名级别检查
+	ext := strings.ToLower(filepath.Ext(n))
+	sensitiveExts := []string{
+		".pem", ".key", ".p12", ".pfx", ".ppk", ".asc", ".gpg",
+	}
+	for _, se := range sensitiveExts {
+		if ext == se {
+			return true
+		}
+	}
+	return false
+}