SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks…
GitHub_M·CWE-22·Published 2026-01-28
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5.
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5.
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal in github.com/siyuan-note/siyuan/kernel
# File Read Interface Case Bypass Vulnerability ## Vulnerability Name File Read Interface Case Bypass Vulnerability ## Overview The `/api/file/getFile` endpoint uses **case-sensitive string equality checks** to block access to sensitive files. On case-insensitive file systems such as **Windows**, attackers can bypass restrictions using mixed-case paths and read protected configuration files. ## Impact - Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.). - Remotely exploitable directly when the service is published without authentication. ## Trigger Conditions - Running on a **case-insensitive file system**. - The caller can access `/api/file/getFile` (via CheckAuth or Token injection in published services). ## PoC (Generic Example) After enabling publication: **Request:** ```http POST /api/file/getFile Content-Type: application/json {"path":"cOnf/conf.json"} ``` **Expected Result:** - Successfully return the content of the configuration file. ## Root Cause Path comparison uses strict case-sensitive string matching, without case normalization or identical file validation. ## Fix Recommendations - Normalize path casing before comparison (Windows/macOS). - Use file-level comparison methods such as `os.SameFile`. - Apply blacklist validation on sensitive paths **after case normalization**. ## Notes - Environment identifiers and sensitive information have been removed. ## Solution Commit `399a38893e8719968ea2511e177bb53e09973fa6`
SiYuan es un sistema de gestión de conocimiento personal. Antes de la versión 3.5.5, el endpoint /api/file/getFile utiliza comprobaciones de igualdad de cadenas que distinguen entre mayúsculas y minúsculas para bloquear el acceso a archivos sensibles. En sistemas de archivos que no distinguen entre mayúsculas y minúsculas, como Windows, los atacantes pueden eludir las restricciones utilizando rutas con mayúsculas y minúsculas mezcladas y leer archivos de configuración protegidos. Esta vulnerabilidad se corrigió en la versión 3.5.5.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 4.0 | Secondary | GHSA | 8.7 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |