CVE-2022-41874: Tauri Framework Incorrectly-Resolved Name Vulnerability in File Dialog and Drag and Drop Functionality

Tauri is a popular framework for building binaries across all major desktop platforms such as Windows, MacOS, and Linux. However, certain versions of Tauri have been found to be vulnerable to incorrect escaping of special characters in paths, specifically in the file dialog and drag and drop functionality. This blog post delves into the exploit details, affected versions, the patch, and a possible workaround for this vulnerability, which was assigned a unique identifier of CVE-2022-41874.

Affected Versions

The vulnerability affects Tauri versions prior to 1..7 and 1.1.2.

Exploit Details

In vulnerable versions, the fs scope definition can be partially bypassed due to incorrect escaping of special characters in paths that are selected via the file dialog, as well as drag and drop functionality. Consequently, a malicious user can gain access to neighboring files and subfolders of already allowed paths. It is worth mentioning that this issue does not allow traversal into arbitrary paths.

The impact may vary across Windows, MacOS, and Linux platforms, as they implement different specifications for valid path characters. To exploit this vulnerability successfully, an attacker would need the user to select a malicious file or directory through the file picker dialog and have implemented an adversary-controlled logic to access these files.

Below is a code snippet illustrating the issue

// Tauri Component for File Dialog
async function openFileDialog() {
  const filePaths = await window.tauri.promisified({
    cmd: "openFileDialog",
  });
  // Perform operations on the selected paths
}

// Drag and Drop Component
window.addEventListener("drop", (event) => {
  event.preventDefault();
  const files = event.dataTransfer.files;
  for (const file of files) {
    // Perform operations on the dropped files
  }
});

For more information on this vulnerability, you can refer to the following resources

- CVE-2022-41874
- Tauri GitHub Issue
- Tauri Changelog

Workaround

In case you cannot immediately upgrade to a patched version, a workaround is to disable the dialog and fileDropEnabled component in your tauri.conf.json configuration file. This will prevent users from using the file dialog and drag and drop functionality, mitigating the risk of exploitation as long as the bypass depends on these two components.

{
  "tauri": {
    "allowlist": {
      "all": false
    }
  },
  "window": {
    "fileDropEnabled": false
  }
}

Conclusion

In summary, the Tauri framework is susceptible to the Incorrectly-Resolved Name vulnerability in file dialog and drag and drop functionality (CVE-2022-41874) for versions prior to 1..7 and 1.1.2. Users are encouraged to upgrade to patched versions or implement the provided workaround to avoid any security implications caused by this issue.

Timeline

Published on: 11/10/2022 21:15:00 UTC
Last modified on: 11/15/2022 20:17:00 UTC