i am making it worse

FabianLars · FabianLars · commit f323eb8f56e5 · 2024-11-19T18:58:37.000+01:00
diff --git a/plugins/fs/Cargo.toml b/plugins/fs/Cargo.toml
@@ -14,7 +14,7 @@ rustc-args = ["--cfg", "docsrs"]
 rustdoc-args = ["--cfg", "docsrs"]
 
 [package.metadata.platforms.support]
-windows = { level = "full", notes = "No write access to `$RESOURCES` folder with MSI installer and NSIS installers in `perMachine` or `both` mode" }
+windows = { level = "full", notes = "Apps installed via MSI or NSIS in `perMachine` and `both` mode require admin permissions for write acces in `$RESOURCES` folder" }
 linux = { level = "full", notes = "No write access to `$RESOURCES` folder" }
 macos = { level = "full", notes = "No write access to `$RESOURCES` folder" }
 android = { level = "partial", notes = "Access is restricted to Application folder by default" }
diff --git a/plugins/fs/build.rs b/plugins/fs/build.rs
@@ -7,7 +7,7 @@ use std::{
     path::{Path, PathBuf},
 };
 
-#[path = "src/scope.rs"]
+#[path = "src/entryraw.rs"]
 #[allow(dead_code)]
 mod scope;
 
diff --git a/plugins/fs/src/commands.rs b/plugins/fs/src/commands.rs
@@ -16,7 +16,7 @@ use std::{
     borrow::Cow,
     fs::File,
     io::{BufReader, Lines, Read, Write},
-    path::PathBuf,
+    path::{Path, PathBuf},
     str::FromStr,
     sync::Mutex,
     time::{SystemTime, UNIX_EPOCH},
@@ -1002,37 +1002,88 @@ pub fn resolve_path<R: Runtime>(
     let scope = tauri::scope::fs::Scope::new(
         webview,
         &FsScope::Scope {
-            allow: webview
-                .fs_scope()
-                .allowed
-                .lock()
-                .unwrap()
-                .clone()
-                .into_iter()
-                .chain(global_scope.allows().iter().filter_map(|e| e.path.clone()))
+            allow: global_scope
+                .allows()
+                .iter()
+                .filter_map(|e| e.path.clone())
                 .chain(command_scope.allows().iter().filter_map(|e| e.path.clone()))
                 .collect(),
-            deny: webview
-                .fs_scope()
-                .denied
-                .lock()
-                .unwrap()
-                .clone()
-                .into_iter()
-                .chain(global_scope.denies().iter().filter_map(|e| e.path.clone()))
+            deny: global_scope
+                .denies()
+                .iter()
+                .filter_map(|e| e.path.clone())
                 .chain(command_scope.denies().iter().filter_map(|e| e.path.clone()))
                 .collect(),
             require_literal_leading_dot: webview.fs_scope().require_literal_leading_dot,
         },
     )?;
 
-    if scope.is_allowed(&path) {
+    let fs_scope = webview.fs_scope();
+
+    let require_literal_leading_dot = fs_scope.require_literal_leading_dot.unwrap_or(cfg!(unix));
+
+    if fs_scope
+        .scope
+        .as_ref()
+        .map(|s| is_forbidden(s, &path, require_literal_leading_dot))
+        .unwrap_or(false)
+        || is_forbidden(&scope, &path, require_literal_leading_dot)
+    {
+        return Err(CommandError::Plugin(Error::PathForbidden(path)));
+    }
+
+    if fs_scope
+        .scope
+        .as_ref()
+        .map(|s| s.is_allowed(&path))
+        .unwrap_or(false)
+        || scope.is_allowed(&path)
+    {
         Ok(path)
     } else {
         Err(CommandError::Plugin(Error::PathForbidden(path)))
     }
 }
 
+fn is_forbidden<P: AsRef<Path>>(
+    scope: &tauri::fs::Scope,
+    path: P,
+    require_literal_leading_dot: bool,
+) -> bool {
+    let path = path.as_ref();
+    let path = if path.is_symlink() {
+        match std::fs::read_link(path) {
+            Ok(p) => p,
+            Err(_) => return false,
+        }
+    } else {
+        path.to_path_buf()
+    };
+    let path = if !path.exists() {
+        crate::Result::Ok(path)
+    } else {
+        std::fs::canonicalize(path).map_err(Into::into)
+    };
+
+    if let Ok(path) = path {
+        let path: PathBuf = path.components().collect();
+        scope.forbidden_patterns().iter().any(|p| {
+            p.matches_path_with(
+                &path,
+                glob::MatchOptions {
+                    // this is needed so `/dir/*` doesn't match files within subdirectories such as `/dir/subdir/file.txt`
+                    // see: <https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5>
+                    require_literal_separator: true,
+                    require_literal_leading_dot,
+                    ..Default::default()
+                },
+            )
+        })
+    } else {
+        false
+    }
+}
+
 struct StdFileResource(Mutex<File>);
 
 impl StdFileResource {
diff --git a/plugins/fs/src/entryraw.rs b/plugins/fs/src/entryraw.rs
@@ -0,0 +1,14 @@
+// Copyright 2019-2023 Tauri Programme within The Commons Conservancy
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: MIT
+
+use std::path::PathBuf;
+
+use serde::Deserialize;
+
+#[derive(Deserialize)]
+#[serde(untagged)]
+pub(crate) enum EntryRaw {
+    Value(PathBuf),
+    Object { path: PathBuf },
+}
diff --git a/plugins/fs/src/lib.rs b/plugins/fs/src/lib.rs
@@ -15,14 +15,15 @@ use serde::Deserialize;
 use tauri::{
     ipc::ScopeObject,
     plugin::{Builder as PluginBuilder, TauriPlugin},
-    utils::acl::Value,
+    utils::{acl::Value, config::FsScope},
     AppHandle, DragDropEvent, Manager, RunEvent, Runtime, WindowEvent,
 };
 
 mod commands;
 mod config;
 #[cfg(not(target_os = "android"))]
 mod desktop;
+mod entryraw;
 mod error;
 mod file_path;
 #[cfg(target_os = "android")]
@@ -352,8 +353,8 @@ impl ScopeObject for scope::Entry {
         raw: Value,
     ) -> std::result::Result<Self, Self::Error> {
         let path = serde_json::from_value(raw.into()).map(|raw| match raw {
-            scope::EntryRaw::Value(path) => path,
-            scope::EntryRaw::Object { path } => path,
+            entryraw::EntryRaw::Value(path) => path,
+            entryraw::EntryRaw::Object { path } => path,
         })?;
 
         match app.path().parse(path) {
@@ -419,11 +420,13 @@ pub fn init<R: Runtime>() -> TauriPlugin<R, Option<config::Config>> {
             watcher::unwatch
         ])
         .setup(|app, api| {
-            let mut scope = Scope::default();
-            scope.require_literal_leading_dot = api
-                .config()
-                .as_ref()
-                .and_then(|c| c.require_literal_leading_dot);
+            let scope = Scope {
+                require_literal_leading_dot: api
+                    .config()
+                    .as_ref()
+                    .and_then(|c| c.require_literal_leading_dot),
+                scope: Some(tauri::fs::Scope::new(app, &FsScope::default())?),
+            };
 
             #[cfg(target_os = "android")]
             {
diff --git a/plugins/fs/src/scope.rs b/plugins/fs/src/scope.rs
