GHSA-6MV3-WM7J-H4W5

Vulnerability from github – Published: 2022-12-22 20:03 – Updated: 2022-12-23 18:01
VLAI?
Summary
Tauri Filesystem Scope Glob Pattern is too Permissive
Details

Impact

The filesystem glob pattern wildcards *, ?, and [...] match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths.

Example: The fs scope $HOME/*.key would also allow $HOME/.ssh/secret.key to be read even though it is in a sub directory of $HOME and is inside a hidden folder.

Scopes without the wildcards are not affected. As ** allows for sub directories the behavior there is also as expected.

Patches

The issue has been patched in the latest release and was backported into the currently supported 1.x branches.

Workarounds

No workaround is known at the time of publication.

References

The original report contained information that the dialog.open component automatically allows one sub directory to be read, regardless of the recursive option.

Imagine a file system looking like

 o ../
 o documents/
    - file.txt
    - deeper/
       o deep_file.txt

Reproduction steps:

  1. Trying to load “file.txt” or “deep_file.txt” doesn’t work. Expected
  2. Select “documents” as folder to open(ie. with window.TAURI.dialog.open)
  3. Trying to load “file.txt” works. Expected
  4. Trying to load “deep_file.txt” also works, which isn’t expected

The recursive flag is used in https://github.com/tauri-apps/tauri/blob/cd8c074ae6592303d3f6844a4fb6d262eae913b2/core/tauri/src/scope/fs.rs#L154 to scope the filesystem access to either files in the folder or to also include sub directories.

The original issue was replicated and further investigated.

The root cause was triaged to the glob crate facilitating defaults, which allow the * and [...] to also match path literals.

MatchOptions {
    case_sensitive: true,
    require_literal_separator: false,
    require_literal_leading_dot: false
}

This implicated that not only the dialog.open component was affected but rather all fs scopes containing the * or [...] glob. During this investigation it became obvious that the current glob matches would also match hidden folder (e.g: .ssh) content by default, without explicitly allowing hidden folders to be matched. This is not commonly expected behavior in comparison to for example bash.

The new default Match options are:

MatchOptions {
    case_sensitive: true,
    require_literal_separator: true,
    require_literal_leading_dot: true
}

Another note security relevant for developers building applications interacting with case sensitive filesystems is, that the case_sensitive option only affects ASCII file paths and is not valid in Unicode based paths. This is considered a known risk until the glob crate supports non-ASCII file paths for this type of case sensitive matching.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri Email us at security@tauri.app

Severity ?
6.8 (Medium)
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.0"
            },
            {
              "fixed": "2.0.0-alpha.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T20:03:43Z",
    "nvd_published_at": "2022-12-23T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths.\n\nExample: The `fs` scope `$HOME/*.key` would also allow `$HOME/.ssh/secret.key` to be read even though it is in a sub directory of `$HOME` and is inside a hidden folder.\n\nScopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected.\n\n### Patches\n\nThe issue has been patched in the latest release and was backported into the currently supported 1.x branches.\n\n### Workarounds\n\nNo workaround is known at the time of publication.\n\n### References\n\nThe original report contained information that the `dialog.open` component automatically allows one sub directory to be read, regardless of the `recursive` option.\n\nImagine a file system looking like\n```\n o ../\n o documents/\n    - file.txt\n    - deeper/\n       o deep_file.txt\n```\n\nReproduction steps:\n\n1. Trying to load \u201cfile.txt\u201d or \u201cdeep_file.txt\u201d doesn\u2019t work. Expected\n2. Select \u201cdocuments\u201d as folder to open(ie. with window.__TAURI__.dialog.open)\n3. Trying to load \u201cfile.txt\u201d works. Expected\n5. Trying to load \u201cdeep_file.txt\u201d also works, which isn\u2019t expected\n\nThe recursive flag is used in https://github.com/tauri-apps/tauri/blob/cd8c074ae6592303d3f6844a4fb6d262eae913b2/core/tauri/src/scope/fs.rs#L154 to scope the filesystem access to either files in the folder or to also include sub directories.\n\nThe original issue was replicated and further investigated.\n\nThe root cause was triaged to the `glob` crate facilitating defaults, which allow the `*` and `[...]` to also match path literals.\n\n```rust\nMatchOptions {\n    case_sensitive: true,\n    require_literal_separator: false,\n    require_literal_leading_dot: false\n}\n```\n\nThis implicated that not only the `dialog.open` component was affected but rather all `fs` scopes containing the `*` or `[...]` glob.\nDuring this investigation it became obvious that the current glob matches would also match hidden folder (e.g: `.ssh`) content by default, without explicitly allowing hidden folders to be matched. This is not commonly expected behavior in comparison to for example `bash`.\n\nThe new default  Match options are:\n\n```rust\nMatchOptions {\n    case_sensitive: true,\n    require_literal_separator: true,\n    require_literal_leading_dot: true\n}\n```\n\n\u003e Another note security relevant for developers building applications interacting with case sensitive filesystems is, that the `case_sensitive` option only affects ASCII file paths and is not valid in Unicode based paths. This is considered a known risk until the `glob` crate supports non-ASCII file paths for this type of case sensitive matching.\n\n### For more Information\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in tauri\nEmail us at [security@tauri.app](mailto:security@tauri.app)\n",
  "id": "GHSA-6mv3-wm7j-h4w5",
  "modified": "2022-12-23T18:01:54Z",
  "published": "2022-12-22T20:03:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46171"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/14d567f7ecb25a6d1024cf3d796f86aee89d0dd4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/72389b00d7b495ffd7750eb1e75a3b8537d07cf3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/f0602e7c294245ab6ef6fbf2a976ef398340ef58"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tauri-apps/tauri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tauri Filesystem Scope Glob Pattern is too Permissive"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.