siyuan

mirror of https://github.com/siyuan-note/siyuan.git synced 2026-06-28 06:46:12 +00:00

Files

Qiaochu Hu 890d2c5a67 🔒 Fix path traversal vulnerability in /repo/diff/ endpoint (#17657 )

The /repo/diff/ endpoint used the URL path parameter directly in
filepath.Join without validation, allowing an authenticated admin
user to read arbitrary files via path traversal sequences.

This fix:
- Cleans the path with filepath.Clean
- Rejects paths containing ".."
- Validates the final path with IsSubPath to ensure it stays within
  {TempDir}/repo/diff/

Co-authored-by: Test User <test@example.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-10 19:20:31 +08:00

proxy

✨ Support kernel plugin system (#17487 )

2026-05-09 11:26:37 +08:00

serve.go

🔒 Fix path traversal vulnerability in /repo/diff/ endpoint (#17657 )

2026-05-10 19:20:31 +08:00