🔒 Some security vulnerabilities https://github.com/siyuan-note/siyuan/issues/13426

2024-12-11 17:15:54 +08:00 · 2024-12-11 17:15:54 +08:00 · e70ed57f6e
commit e70ed57f6e
parent 2b5a9f9f1a
5 changed files with 28 additions and 1 deletions
--- a/kernel/api/template.go
+++ b/kernel/api/template.go
@ -80,6 +80,12 @@ func renderTemplate(c *gin.Context) {
 		return
 	}

+	if !util.IsAbsPathInWorkspace(p) {
+		ret.Code = -1
+		ret.Msg = "Path [" + p + "] is not in workspace"
+		return
+	}
+
 	preview := false
 	if previewArg := arg["preview"]; nil != previewArg {
 		preview = previewArg.(bool)
--- a/kernel/model/export.go
+++ b/kernel/model/export.go
@ -532,7 +532,13 @@ func ExportResources(resourcePaths []string, mainName string) (exportFilePath st

 	// 将需要导出的文件/文件夹复制到临时文件夹
 	for _, resourcePath := range resourcePaths {
-		resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath)    // 资源完整路径
+		resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径
+		if !util.IsAbsPathInWorkspace(resourceFullPath) {
+			logging.LogErrorf("resource path [%s] is not in workspace", resourceFullPath)
+			err = errors.New("resource path [" + resourcePath + "] is not in workspace")
+			return
+		}
+
 		resourceBaseName := filepath.Base(resourceFullPath)                   // 资源名称
 		resourceCopyPath := filepath.Join(exportFolderPath, resourceBaseName) // 资源副本完整路径
 		if err = filelock.Copy(resourceFullPath, resourceCopyPath); err != nil {
--- a/kernel/model/upload.go
+++ b/kernel/model/upload.go
@ -132,6 +132,11 @@ func Upload(c *gin.Context) {
 	if nil != form.Value["assetsDirPath"] {
 		relAssetsDirPath = form.Value["assetsDirPath"][0]
 		assetsDirPath = filepath.Join(util.DataDir, relAssetsDirPath)
+		if !util.IsAbsPathInWorkspace(assetsDirPath) {
+			ret.Code = -1
+			ret.Msg = "Path [" + assetsDirPath + "] is not in workspace"
+			return
+		}
 	}
 	if !gulu.File.IsExist(assetsDirPath) {
 		if err = os.MkdirAll(assetsDirPath, 0755); err != nil {
--- a/kernel/treenode/template.go
+++ b/kernel/treenode/template.go
@ -31,6 +31,12 @@ import (

 func BuiltInTemplateFuncs() (ret template.FuncMap) {
 	ret = sprig.TxtFuncMap()
+
+	// 因为安全原因移除一些函数 https://github.com/siyuan-note/siyuan/issues/13426
+	delete(ret, "env")
+	delete(ret, "expandenv")
+	delete(ret, "getHostByName")
+
 	ret["Weekday"] = util.Weekday
 	ret["WeekdayCN"] = util.WeekdayCN
 	ret["WeekdayCN2"] = util.WeekdayCN2
--- a/kernel/util/path.go
+++ b/kernel/util/path.go
@ -302,3 +302,7 @@ func GetAbsPathInWorkspace(relPath string) (string, error) {
 	}
 	return "", os.ErrPermission
 }
+
+func IsAbsPathInWorkspace(absPath string) bool {
+	return IsSubPath(WorkspaceDir, absPath)
+}