From 44a25da08e3e46b1e589a7bf6a9c5a8bbe6988f4 Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Mon, 8 Dec 2025 10:16:05 +0800 Subject: [PATCH 1/2] :lock: Fix Zip decompression security vulnerability https://github.com/siyuan-note/siyuan/issues/16541 Signed-off-by: Daniel <845765@qq.com> --- kernel/go.mod | 2 +- kernel/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/go.mod b/kernel/go.mod index 5fdb9c887..ed922f22c 100644 --- a/kernel/go.mod +++ b/kernel/go.mod @@ -7,7 +7,7 @@ require ( github.com/88250/clipboard v0.1.5 github.com/88250/epub v0.0.0-20230830085737-c19055cd1f48 github.com/88250/go-humanize v0.0.0-20240424102817-4f78fac47ea7 - github.com/88250/gulu v1.2.3-0.20251119142510-7b1583ab4aa0 + github.com/88250/gulu v1.2.3-0.20251208021445-f93f2666eaac github.com/88250/lute v1.7.7-0.20251206130006-9ab22d55a1d6 github.com/88250/vitess-sqlparser v0.0.0-20210205111146-56a2ded2aba1 github.com/ClarkThan/ahocorasick v0.0.0-20231011042242-30d1ef1347f4 diff --git a/kernel/go.sum b/kernel/go.sum index 63624c1ee..e4a63057e 100644 --- a/kernel/go.sum +++ b/kernel/go.sum @@ -12,8 +12,8 @@ github.com/88250/go-humanize v0.0.0-20240424102817-4f78fac47ea7 h1:MafIFwSS0x6A4 github.com/88250/go-humanize v0.0.0-20240424102817-4f78fac47ea7/go.mod h1:HrKCCTin3YNDSLBD02K0AOljjV6eNwc3/zyEI+xyV1I= github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950 h1:Pa5hMiBceTVVqrYaDlLio2QSKbXMUmAZPbzCwT5eNCw= github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= -github.com/88250/gulu v1.2.3-0.20251119142510-7b1583ab4aa0 h1:ip0IQCJCLtJEDHil+2XSnh3NP39i98SYV5qhWoUeMnA= -github.com/88250/gulu v1.2.3-0.20251119142510-7b1583ab4aa0/go.mod h1:IQ5dXW9CjVmx6B7OfK1Y4ZBKTPMe9q1AkVoLGGzRbS8= +github.com/88250/gulu v1.2.3-0.20251208021445-f93f2666eaac h1:EC80pY8zyR0gbL8ZLIBB4IPG/ia3ZHScrR/xt8zU8qU= +github.com/88250/gulu v1.2.3-0.20251208021445-f93f2666eaac/go.mod h1:IQ5dXW9CjVmx6B7OfK1Y4ZBKTPMe9q1AkVoLGGzRbS8= github.com/88250/lute v1.7.7-0.20251206130006-9ab22d55a1d6 h1:bHj9v3Ashr4ofT57aBNbzHQnz4OuKrKUuOn4G5VW4DI= github.com/88250/lute v1.7.7-0.20251206130006-9ab22d55a1d6/go.mod h1:WYyUw//5yVw9BJnoVjx7rI/3szsISxNZCYGOqTIrV0o= github.com/88250/pdfcpu v0.3.14-0.20250424122812-f10e8d9d8d46 h1:Bq1JsDfVbHKUxNL/B2JXd8cC/1h6aFjrlXpGycnh0Hk= From 4262c40cdba532b720ef8190a7f81770ab7f0c5b Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Mon, 8 Dec 2025 10:28:31 +0800 Subject: [PATCH 2/2] :lock: Fix Command Injection via PandocBin https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4r66-7rcv-x46x Signed-off-by: Daniel <845765@qq.com> --- kernel/util/pandoc.go | 65 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/kernel/util/pandoc.go b/kernel/util/pandoc.go index c8c465c54..ca0e6212a 100644 --- a/kernel/util/pandoc.go +++ b/kernel/util/pandoc.go @@ -211,6 +211,71 @@ func IsValidPandocBin(binPath string) bool { return false } + // 解析符号链接 + if real, err := filepath.EvalSymlinks(binPath); err == nil { + binPath = real + } + + // 文件信息检查 + fi, err := os.Stat(binPath) + if err != nil || fi.IsDir() || !fi.Mode().IsRegular() { + return false + } + + // 在 Unix 上要求拥有可执行权限 + if !gulu.OS.IsWindows() { + if fi.Mode().Perm()&0111 == 0 { + return false + } + } + + // 读取文件头判断是否为二进制并排除脚本(#!) + f, err := os.Open(binPath) + if err != nil { + return false + } + defer f.Close() + + header := make([]byte, 16) + n, _ := f.Read(header) + header = header[:n] + + // 拒绝以 shebang 开头的脚本 + if bytes.HasPrefix(header, []byte("#!")) { + return false + } + + isBin := false + // 常见二进制魔数:ELF, PE("MZ"), Mach-O/FAT + if len(header) >= 4 { + switch { + case bytes.Equal(header[:4], []byte{0x7f, 'E', 'L', 'F'}): + isBin = true // ELF + case bytes.Equal(header[:4], []byte{0xfe, 0xed, 0xfa, 0xce}): + isBin = true // Mach-O + case bytes.Equal(header[:4], []byte{0xce, 0xfa, 0xed, 0xfe}): + isBin = true // Mach-O (swapped) + case bytes.Equal(header[:4], []byte{0xca, 0xfe, 0xba, 0xbe}): + isBin = true // FAT + } + } + // PE only needs first 2 bytes "MZ" + if !isBin && len(header) >= 2 && bytes.Equal(header[:2], []byte{'M', 'Z'}) { + isBin = true + } + + // Windows 上允许 .exe 文件(作为补充判断) + if !isBin && gulu.OS.IsWindows() { + ext := strings.ToLower(filepath.Ext(binPath)) + if ext == ".exe" { + isBin = true + } + } + + if !isBin { + return false + } + cmd := exec.Command(binPath, "--version") gulu.CmdAttr(cmd) data, err := cmd.CombinedOutput()