Due to missing canonicalization when readDir
is called recursively, it was possible to display directory listings outside of the defined fs
scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs
scope. No arbitrary file content could be leaked.
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope
.
Disable the readDir
endpoint in the allowlist
inside the tauri.conf.json
.
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app
{ "nvd_published_at": "2022-09-15T22:15:00Z", "github_reviewed_at": "2022-09-16T19:28:49Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22", "CWE-59" ] }