CVE-2022-46171: Tauri Filesystem Scope Glob Pattern is too Permissive
(updated )
The filesystem glob pattern wildcards *, ?, and [...] match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths.
Example: The fs scope $HOME/*.key would also allow $HOME/.ssh/secret.key to be read even though it is in a sub directory of $HOME and is inside a hidden folder.
Scopes without the wildcards are not affected. As ** allows for sub directories the behavior there is also as expected.
References
- github.com/advisories/GHSA-6mv3-wm7j-h4w5
- github.com/tauri-apps/tauri
- github.com/tauri-apps/tauri/commit/14d567f7ecb25a6d1024cf3d796f86aee89d0dd4
- github.com/tauri-apps/tauri/commit/72389b00d7b495ffd7750eb1e75a3b8537d07cf3
- github.com/tauri-apps/tauri/commit/f0602e7c294245ab6ef6fbf2a976ef398340ef58
- github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5
- nvd.nist.gov/vuln/detail/CVE-2022-46171
Code Behaviors & Features
Detect and mitigate CVE-2022-46171 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →