Skip to content

Tauri Filesystem Scope can be Partially Bypassed

Low severity GitHub Reviewed Published Nov 8, 2022 in tauri-apps/tauri • Updated Feb 28, 2023

Package

cargo Tauri (Rust)

Affected versions

>= 1.0.0, < 1.0.7
>= 1.1.0, < 1.1.2

Patched versions

1.0.7
1.1.2

Description

Impact

Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the fs scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths.

The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters.

On Linux or MacOS based systems it was possible to use the *, ** and [a-Z] patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed.

On Windows [a-Z] was the possible bypass pattern, as * is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible.

This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime.

A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges.

Workaround

Disable the dialog and fileDropEnabled component inside the tauri.conf.json.

Patches

The issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: 1.0.7, 1.1.2 and 1.2.0

For more information

This issue was initially reported by MessyComposer in #5234.

If you have any questions or comments about this advisory:

Open an issue in tauri
Email us at [email protected]

References

@lucasfernog lucasfernog published to tauri-apps/tauri Nov 8, 2022
Published to the GitHub Advisory Database Nov 8, 2022
Reviewed Nov 8, 2022
Published by the National Vulnerability Database Nov 10, 2022
Last updated Feb 28, 2023

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

EPSS score

0.054%
(25th percentile)

Weaknesses

CVE ID

CVE-2022-41874

GHSA ID

GHSA-q9wv-22m9-vhqh

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.