GHSA-28m8-9j7v-x499

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-28m8-9j7v-x499/GHSA-28m8-9j7v-x499.json
Aliases
  • CVE-2022-39215
Published
2022-09-16T19:28:49Z
Modified
2022-09-22T17:28:05Z
Details

Impact

Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Patches

The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope.

Workarounds

Disable the readDir endpoint in the allowlist inside the tauri.conf.json.

For more information

This issue was initially reported by martin-ocasek in #4882.

If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app

References

Affected packages

crates.io / tauri

tauri

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
1.0.6

Affected versions