🔒 Fix https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9

Signed-off-by: Daniel <845765@qq.com>
2026-02-08 00:04:21 +01:00 · 2026-01-28 21:42:30 +08:00 · 2026-01-28 21:42:30 +08:00 · d7f790755e
commit d7f790755e
parent 399a38893e
2 changed files with 10 additions and 0 deletions
--- a/kernel/api/file.go
+++ b/kernel/api/file.go
@ -141,6 +141,14 @@ func copyFile(c *gin.Context) {
 	}

 	dest := arg["dest"].(string)
+	if util.IsSensitivePath(dest) {
+		msg := fmt.Sprintf("refuse to copy sensitive file [%s]", dest)
+		logging.LogErrorf(msg)
+		ret.Code = -2
+		ret.Msg = msg
+		return
+	}
+
 	if err = filelock.Copy(src, dest); err != nil {
 		logging.LogErrorf("copy file [%s] to [%s] failed: %s", src, dest, err)
 		ret.Code = -1
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@ -373,6 +373,7 @@ func IsSensitivePath(p string) bool {
 		"/etc/ssh",
 		"/root",
 		"/etc/ssl",
+		"/etc/cron.d/",
 		"/etc/letsencrypt",
 		"/var/lib/docker",
 		"/.gnupg",
@ -404,6 +405,7 @@ func IsSensitivePath(p string) bool {
 	base := filepath.Base(pp)
 	n := strings.ToLower(base)
 	sensitiveNames := map[string]struct{}{
+		".bashrc":         {},
 		".env":            {},
 		".env.local":      {},
 		".npmrc":          {},