Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-16 22:50:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 Some security vulnerabilities https://github.com/siyuan-note/siyuan/issues/13426

Browse source
This commit is contained in:
Daniel 2024-12-11 17:15:54 +08:00
parent 2b5a9f9f1a
commit e70ed57f6e
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
5 changed files with 28 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
kernel/api/template.go
View file

@ -80,6 +80,12 @@ func renderTemplate(c *gin.Context) {
return return
} }
if !util.IsAbsPathInWorkspace(p) {
ret.Code = -1
ret.Msg = "Path [" + p + "] is not in workspace"
return
}
preview := false preview := false
if previewArg := arg["preview"]; nil != previewArg { if previewArg := arg["preview"]; nil != previewArg {
preview = previewArg.(bool) preview = previewArg.(bool)

8
kernel/model/export.go
View file

@ -532,7 +532,13 @@ func ExportResources(resourcePaths []string, mainName string) (exportFilePath st
// 将需要导出的文件/文件夹复制到临时文件夹 // 将需要导出的文件/文件夹复制到临时文件夹
for _, resourcePath := range resourcePaths { for _, resourcePath := range resourcePaths {
resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径 resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径
if !util.IsAbsPathInWorkspace(resourceFullPath) {
logging.LogErrorf("resource path [%s] is not in workspace", resourceFullPath)
err = errors.New("resource path [" + resourcePath + "] is not in workspace")
return
}
resourceBaseName := filepath.Base(resourceFullPath) // 资源名称 resourceBaseName := filepath.Base(resourceFullPath) // 资源名称
resourceCopyPath := filepath.Join(exportFolderPath, resourceBaseName) // 资源副本完整路径 resourceCopyPath := filepath.Join(exportFolderPath, resourceBaseName) // 资源副本完整路径
if err = filelock.Copy(resourceFullPath, resourceCopyPath); err != nil { if err = filelock.Copy(resourceFullPath, resourceCopyPath); err != nil {

5
kernel/model/upload.go
View file

@ -132,6 +132,11 @@ func Upload(c *gin.Context) {
if nil != form.Value["assetsDirPath"] { if nil != form.Value["assetsDirPath"] {
relAssetsDirPath = form.Value["assetsDirPath"][0] relAssetsDirPath = form.Value["assetsDirPath"][0]
assetsDirPath = filepath.Join(util.DataDir, relAssetsDirPath) assetsDirPath = filepath.Join(util.DataDir, relAssetsDirPath)
if !util.IsAbsPathInWorkspace(assetsDirPath) {
ret.Code = -1
ret.Msg = "Path [" + assetsDirPath + "] is not in workspace"
return
}
} }
if !gulu.File.IsExist(assetsDirPath) { if !gulu.File.IsExist(assetsDirPath) {
if err = os.MkdirAll(assetsDirPath, 0755); err != nil { if err = os.MkdirAll(assetsDirPath, 0755); err != nil {

6
kernel/treenode/template.go
View file

@ -31,6 +31,12 @@ import (
func BuiltInTemplateFuncs() (ret template.FuncMap) { func BuiltInTemplateFuncs() (ret template.FuncMap) {
ret = sprig.TxtFuncMap() ret = sprig.TxtFuncMap()
// 因为安全原因移除一些函数 https://github.com/siyuan-note/siyuan/issues/13426
delete(ret, "env")
delete(ret, "expandenv")
delete(ret, "getHostByName")
ret["Weekday"] = util.Weekday ret["Weekday"] = util.Weekday
ret["WeekdayCN"] = util.WeekdayCN ret["WeekdayCN"] = util.WeekdayCN
ret["WeekdayCN2"] = util.WeekdayCN2 ret["WeekdayCN2"] = util.WeekdayCN2

4
kernel/util/path.go
View file

@ -302,3 +302,7 @@ func GetAbsPathInWorkspace(relPath string) (string, error) {
} }
return "", os.ErrPermission return "", os.ErrPermission
} }
func IsAbsPathInWorkspace(absPath string) bool {
return IsSubPath(WorkspaceDir, absPath)
}