SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin

Summary

Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.

Steps to reproduce

1. Authenticate
2. Create zip slip payload with path traversal entry ../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:

#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"

3. Upload zip to workspace via /api/file/putFile
4. Extract zip via /api/archive/unzip, overwrites the existing executable startup.sh while maintaining the +x permission
5. Trigger execution by calling /api/setting/setExport with pandocBin=/opt/siyuan/startup.sh. This calls IsValidPandocBin() which executes startup.sh --version that outputs "pandoc 3.1.0" and executes any arbitrary malicious code