Impact
Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.
Patches
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope.
Workarounds
Disable the readDir endpoint in the allowlist inside the tauri.conf.json.
For more information
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory:
- Open an issue in tauri
- Email us at security@tauri.app
References
- https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499
- https://nvd.nist.gov/vuln/detail/CVE-2022-39215
- https://github.com/tauri-apps/tauri/issues/4882
- https://github.com/tauri-apps/tauri/pull/5123
- https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678
- https://github.com/tauri-apps/tauri/commit/bb178829086e80916f9be190f02d83bc25802799
- https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.6
- https://github.com/advisories/GHSA-28m8-9j7v-x499