CVE-2022-41874

Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json.

Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json.

A bug identified in [this](https://github.com/tauri-apps/tauri/issues/5234) issue allows a partial filesystem scope bypass if glob characters are used within file dialog or drag-and-drop functionalities. [This](https://github.com/tauri-apps/tauri/pull/5237) PR fixes the issue by escaping glob characters.

### Impact Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it was possible to partially bypass the `fs` scope definition. It was not possible to traverse into arbitrary paths, as the issue was limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. On Linux or MacOS based systems it was possible to use the `*`, `**` and `[a-Z]` patterns inside a path, which allowed to read the content of sub directories and single character files in a folder, where only specific files or the directory itself were allowed. On Windows `[a-Z]` was the possible bypass pattern, as `*` is not treated as a valid path component. This implies that only single character files inside an already allowed directory were unintentionally accessible. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. This means the issue by itself can not be abused and requires further intentional or unintentional privileges. ### Workaround Disable the `dialog` and `fileDropEnabled` component inside the `tauri.conf.json`. ### Patches The issue has been resolved in #5237 and the implementation now properly escapes the special characters. The patch has been included in releases: `1.0.7`, `1.1.2` and `1.2.0` ### For more information This issue was initially reported by MessyComposer in #5234. If you have any questions or comments about this advisory: Open an issue in tauri Email us at security@tauri.app

Tauri es un framework para crear archivos binarios para las principales plataformas de escritorio. En versiones anteriores a la 1.0.7 y 1.1.2, Tauri es vulnerable a un Nombre Resuelto Incorrectamente. Debido al escape incorrecto de caracteres especiales en las rutas seleccionadas mediante el cuadro de diálogo del archivo y la funcionalidad de arrastrar y soltar, es posible omitir parcialmente la definición de alcance `fs`. No es posible recorrer rutas arbitrarias, ya que el problema se limita a archivos vecinos y subcarpetas de rutas ya permitidas. El impacto difiere en Windows, MacOS y Linux debido a las diferentes especificaciones de caracteres de ruta válidos. Esta omisión depende del cuadro de diálogo del selector de archivos o de los archivos arrastrados, ya que las rutas seleccionadas por el usuario se agregan automáticamente a la lista de permitidos en tiempo de ejecución. Una omisión exitosa requiere que el usuario seleccione un archivo o directorio malicioso preexistente durante el cuadro de diálogo del selector de archivos y una lógica controlada por el adversario para acceder a estos archivos. El problema se solucionó en las versiones 1.0.7, 1.1.2 y 1.2.0. Como workaround, deshabilite el cuadro de diálogo y el componente fileDropEnabled dentro de tauri.conf.json.