Path Traversal Vulnerability in SiYuan's /export Endpoint

The /export endpoint in SiYuan is susceptible to path traversal due to improper handling of URL-encoded paths. The vulnerability arises from trusting the output of url.PathUnescape without validating that the resulting file path remains within the intended directory (exportBaseDir). Attackers can exploit double-encoded sequences like %252e%252e to bypass checks and access sensitive files such as conf/conf.json, which contains critical secrets.

The proof-of-concept demonstrates that an attacker can read arbitrary files by leveraging the path traversal vulnerability. This highlights the severity of the issue, as it allows unauthorized access to sensitive information and potentially enables remote code execution (RCE). The PoC is reliable due to the nature of the vulnerability and the provided code snippets confirming the exploitability.

Monitor for requests containing double-encoded sequences in paths targeting the /export endpoint. Implement log analysis to detect patterns indicative of path traversal attempts, such as repeated access to non-exported files or unusual file accesses. Consider deploying YARA rules to identify malicious request patterns associated with this vulnerability.

1. Sanitize and validate all user-provided paths to ensure they remain within the exportBaseDir. Use a library like github.com/securego/gosec/v2 for secure path handling. 2. Implement strict access controls on sensitive files such as conf/conf.json. 3. Update SiYuan to a version that addresses this vulnerability if available, or apply patches to mitigate the issue.

The likelihood of exploitation in the wild is high due to the critical impact and ease of exploit using provided PoC. Threat actors with interest in compromising web applications for data exfiltration or system control are likely to target this vulnerability.