Skip to content

The readDir Endpoint Scope can be Bypassed With Symbolic Links

Low
tweidinger published GHSA-28m8-9j7v-x499 Sep 15, 2022

Package

Tauri (Tauri-Apps)

Affected versions

< 1.0.6

Patched versions

1.1.0,1.0.6

Description

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in #5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-39215

Weaknesses

Credits