Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 8.5 Go

SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`

GHSA-vw86-c94w-v3x4 · CVE-2026-40318

Published · Modified

Description

Summary

The endpoint /api/av/removeUnusedAttributeView is vulnerable to a path traversal (CWE-22) that allows an attacker to delete arbitrary .json files on the server.

The issue arises because user-controlled input (id) is directly used in filesystem path construction without validation or restriction.

Access to this endpoint (e.g., via a Reader-role or publish context) is considered a precondition and not part of the vulnerability. The root cause is unsafe path handling.

Steps To Reproduce

  1. Ensure the target instance has the publish service enabled (or any valid access to the endpoint).
  2. Send the following request:
POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <target>
Content-Type: application/json

{
  "id": "../../../conf/conf"
}
  1. Observe that the request is accepted.
  2. The server resolves the path outside the intended directory and deletes the target file.

Impact

An attacker can delete arbitrary .json files within the workspace directory.

This may lead to:

  • Deletion of global configuration files (e.g., conf/conf.json)
  • Loss of user data and application state
  • Corruption of workspace metadata
  • Persistent application instability or forced recovery

This represents a server-side arbitrary file deletion primitive, which can have severe impact depending on the targeted files.

Technical Details

The vulnerable code constructs file paths as follows:

filepath.Join(util.DataDir, "storage", "av", id+".json")

Because id is not validated, attackers can inject path traversal sequences such as ../ to escape the intended directory.

Example payloads

  • ../localdata/storage/local.json
  • ../../storage/outlinedata/storage/outline.json
  • ../../../conf/confconf/conf.json

No validation or restriction is applied to:

  • input format
  • path normalization
  • directory boundaries

Root Cause

  • Untrusted user input (id) is directly used in filesystem path construction
  • No input validation or sanitization
  • No enforcement that the resolved path stays within the intended directory

Remediation

  1. Validate input strictly

    • Only allow valid Attribute View IDs
    • Reject any input containing path traversal sequences

  2. Enforce directory boundaries

base := filepath.Join(util.DataDir, "storage", "av")
absPath := filepath.Join(base, id+".json")

if !util.IsSubPath(base, absPath) {
    return error
}

  1. Normalize paths before use

    • Ensure canonical paths cannot escape the base directory

  2. Add additional logical checks

    • Verify that the target object is valid and allowed to be deleted

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes