From 0a17b83372612edb55df0d95b173ce4bef0d0d33 Mon Sep 17 00:00:00 2001 From: Daniel <845765@qq.com> Date: Wed, 25 Jun 2025 13:15:55 +0800 Subject: [PATCH] :lock: XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 --- kernel/api/block.go | 4 ---- kernel/filesys/json_parser.go | 9 +++++++++ kernel/model/blockial.go | 15 --------------- kernel/model/blockinfo.go | 14 +------------- kernel/model/file.go | 7 +------ 5 files changed, 11 insertions(+), 38 deletions(-) diff --git a/kernel/api/block.go b/kernel/api/block.go index 25097d68d..0213aa0a6 100644 --- a/kernel/api/block.go +++ b/kernel/api/block.go @@ -627,10 +627,6 @@ func getBlockInfo(c *gin.Context) { rootTitle := root.IAL["title"] rootTitle = html.UnescapeString(rootTitle) icon := root.IAL["icon"] - if strings.Contains(icon, ".") { - // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 - icon = util.FilterUploadEmojiFileName(icon) - } ret.Data = map[string]string{ "box": block.Box, "path": block.Path, diff --git a/kernel/filesys/json_parser.go b/kernel/filesys/json_parser.go index 8b76ff2c6..6646cf604 100644 --- a/kernel/filesys/json_parser.go +++ b/kernel/filesys/json_parser.go @@ -25,6 +25,7 @@ import ( "github.com/88250/lute/editor" "github.com/88250/lute/parse" "github.com/siyuan-note/siyuan/kernel/treenode" + "github.com/siyuan-note/siyuan/kernel/util" ) func ParseJSONWithoutFix(jsonData []byte, options *parse.Options) (ret *parse.Tree, err error) { @@ -57,6 +58,14 @@ func ParseJSON(jsonData []byte, options *parse.Options) (ret *parse.Tree, needFi } ret = &parse.Tree{Name: "", ID: root.ID, Root: &ast.Node{Type: ast.NodeDocument, ID: root.ID, Spec: root.Spec}, Context: &parse.Context{ParseOption: options}} + if icon := root.Properties["icon"]; "" != icon { + // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 + if newIcon := util.FilterUploadEmojiFileName(icon); newIcon != icon { + root.Properties["icon"] = newIcon + needFix = true + } + } + ret.Root.KramdownIAL = parse.Map2IAL(root.Properties) ret.Root.SetIALAttr("type", "doc") for _, kv := range ret.Root.KramdownIAL { diff --git a/kernel/model/blockial.go b/kernel/model/blockial.go index 24c6fb9f6..2d64f1bd3 100644 --- a/kernel/model/blockial.go +++ b/kernel/model/blockial.go @@ -250,21 +250,6 @@ func setNodeAttrs0(node *ast.Node, nameValues map[string]string) (oldAttrs map[s func pushBroadcastAttrTransactions(oldAttrs map[string]string, node *ast.Node) { newAttrs := parse.IAL2Map(node.KramdownIAL) - - // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 - for name, value := range oldAttrs { - if "icon" == name { - value = util.FilterUploadEmojiFileName(value) - oldAttrs[name] = value - } - } - for name, value := range newAttrs { - if "icon" == name { - value = util.FilterUploadEmojiFileName(value) - newAttrs[name] = value - } - } - data := map[string]interface{}{"old": oldAttrs, "new": newAttrs} if "" != node.AttributeViewType { data["data-av-type"] = node.AttributeViewType diff --git a/kernel/model/blockinfo.go b/kernel/model/blockinfo.go index 7e17350ea..859ef3caf 100644 --- a/kernel/model/blockinfo.go +++ b/kernel/model/blockinfo.go @@ -65,13 +65,6 @@ func GetDocInfo(blockID string) (ret *BlockInfo) { title := tree.Root.IALAttr("title") ret = &BlockInfo{ID: blockID, RootID: tree.Root.ID, Name: title} ret.IAL = parse.IAL2Map(tree.Root.KramdownIAL) - icon := ret.IAL["icon"] - if strings.Contains(icon, ".") { - // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 - icon = util.FilterUploadEmojiFileName(icon) - ret.IAL["icon"] = icon - } - scrollData := ret.IAL["scroll"] if 0 < len(scrollData) { scroll := map[string]interface{}{} @@ -138,12 +131,7 @@ func GetDocInfo(blockID string) (ret *BlockInfo) { } } ret.SubFileCount = subFileCount - icon = tree.Root.IALAttr("icon") - if strings.Contains(icon, ".") { - // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 - icon = util.FilterUploadEmojiFileName(icon) - } - ret.Icon = icon + ret.Icon = tree.Root.IALAttr("icon") return } diff --git a/kernel/model/file.go b/kernel/model/file.go index 98bef0b13..bd3c51ddf 100644 --- a/kernel/model/file.go +++ b/kernel/model/file.go @@ -80,12 +80,7 @@ func (box *Box) docFromFileInfo(fileInfo *FileInfo, ial map[string]string) (ret ret.Path = fileInfo.path ret.Size = uint64(fileInfo.size) ret.Name = ial["title"] + ".sy" - icon := ial["icon"] - if strings.Contains(icon, ".") { - // XSS through emoji name https://github.com/siyuan-note/siyuan/issues/15034 - icon = util.FilterUploadEmojiFileName(icon) - } - ret.Icon = icon + ret.Icon = ial["icon"] ret.ID = ial["id"] ret.Name1 = ial["name"] ret.Alias = ial["alias"]