Headline
CVE-2022-39215: [bug] Accessing junction folder from within $APP folder on Windows · Issue #4882 · tauri-apps/tauri
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined scope. Users are advised to upgrade. Users unable to upgrade should disable the readDir endpoint in the allowlist inside the tauri.conf.json.
Describe the bug
When a junction is created in the $APP Base directory on windows
eg. mklink /J C:\Users<user>\AppData\Roaming<identifier>\TestFolder C:\Dev\TestFolder)
The folder is accessible together with all files and folders inside using fs if read from the root directory
const entries = await readDir('’, { dir: BaseDirectory.App, recursive: true });
But when trying to read the folder directly using
const entries = await readDir('TestFolder’, { dir: BaseDirectory.App, recursive: true });
it fails with an error
Uncaught (in promise) path not allowed on the configured scope: C:\Users<user>\AppData\Roaming<identifier>\TestFolder
Reproduction
- Create Junction in $APP directory
- Try to access that directory recursively with readDir with empty dir parameter
- Folder and its contents can be read
- Try to access that directory again with readDir but with the name of the directory as dir parameter
Expected behavior
I would expect to either not be able to access the folder at all, or be able to access it directly as well if it is accessible from root recursively.
Platform and versions
Environment
› OS: Windows 10.0.19044 X64
› Webview2: 103.0.1264.77
› MSVC:
- Visual Studio Community 2019
- Visual Studio Build Tools 2019
› Node.js: 16.13.1
› npm: 8.1.2
› pnpm: 6.11.0
› yarn: 1.22.15
› rustup: 1.25.1
› rustc: 1.62.1
› cargo: 1.62.1
› Rust toolchain: stable-x86_64-pc-windows-msvc
Packages
› @tauri-apps/cli [NPM]: 1.0.5
› @tauri-apps/api [NPM]: 1.0.2
› tauri [RUST]: 1.0.5,
› tauri-build [RUST]: 1.0.4,
› tao [RUST]: 0.12.2,
› wry [RUST]: 0.19.0,
App
› build-type: bundle
› CSP: unset
› distDir: ../dist
› devPath: http://localhost:5173/
› framework: Vue.js
App directory structure
├─ .vscode
├─ dist
├─ node_modules
├─ public
├─ src
└─ src-tauri
Stack trace
No response
Additional context
No response
Related news
### Impact Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. ### Patches The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. ### Workarounds Disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`. ### For more information This issue was initially reported by [martin-ocasek]( https://github.com/martin-ocasek) in [#4882](https://github.com/tauri-apps/tauri/issues/4882). If you have any questions or comments about this advisory: * Open an issue in [tauri](https://github.com/tauri-apps/tauri) * Email us at [[email protected]](mailto:[email protected])