Improper Sanitization of Tauri Command Arguments

Base Metricscoreseverity
overall2low

Type: Vulnerability

Status: fixed

Reporting Date: 2023.04.05

The custom implemented Tauri command show_folder_in_finder allows for unwanted link opening instead of files shown in the explorer, depending on the operating system.

Description

The custom command show_folder_in_finder accepts a string chosen by the user of the application. The string is passed into the explorer process as an argument without further validation or sanitization.

Only the path parameter is passed and limited to a single1 command argument.

Afffected File: apps/desktop/src-tauri/src/main.rs#L66-L92

#[tauri::command]
fn show_folder_in_finder(path: String) {
    #[cfg(target_os = "macos")]
    {
        std::process::Command::new("open")
            .arg(path)
            .arg("-R") // will reveal the file in finder instead of opening it
            .spawn()
            .unwrap();
    }
    #[cfg(target_os = "linux")]
    {
        std::process::Command::new("xdg-open")
            .arg(path)
            .spawn()
            .unwrap();
    }
    #[cfg(target_os = "windows")]
    {
        std::process::Command::new("explorer")
            .arg(path)
            .spawn()
            .unwrap();
    }
}

Impact

As an adversary with the primitive to execute arbitrary javascript2 it is possible pass links or other non-file paths to the function.

On Linux and Windows machines it is possible to open arbitrary browser instances and redirect the user to an adversary controlled website.3

A crafted path like https:://maliciouswebsite.com would use the machine default browser to open the adversary controlled website.

On MacOS the implications of passing an url to finder4 are currently not completely clear, but we suspect similar capabilities.

This primitive requires a vulnerability in the frontend code or in dependencies of the frontend.

The likelihood of exploitation is relatively low and the impact is moderate.

3

If a file is provided the file will be opened in the preferred application for files of that type. xdg-open supports file, ftp, http and https URLs. https://linux.die.net/man/1/xdg-open

Recommendation

  • Use built-in Tauri command open5 to display files
  • Validate path argument against valid file paths
5

API Reference, requires a custom regex to allow only file paths

Retest Notes

The issue was fixed by enforcing the Path type for inputs passed from the frontend. The fix was merged into the latest release in PR 969.