CVE-2022-46171: 
Rust vulnerability analysis and mitigation

CVE-2022-46171 affects Tauri, a framework for building binaries for all major desktop platforms. The vulnerability was discovered and disclosed in December 2022, where filesystem glob pattern wildcards (*, ?, and [...]) were found to match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. The vulnerability affects Tauri versions 1.0.0-1.0.7, 1.1.0-1.1.2, 1.2.0-1.2.2, and 2.0.0-alpha.0 to 2.0.0-alpha.1 (GitHub Advisory).

The vulnerability stems from the default behavior of glob pattern matching in Tauri's filesystem scope implementation. The glob pattern wildcards would match file path literals and leading dots, allowing access to subdirectories and hidden files that were not intended to be accessible. For example, a scope pattern like $HOME/*.key would unintentionally allow access to files like $HOME/.ssh/secret.key, exposing content in both subdirectories and hidden folders. The CVSS v3.1 base score is 6.8 (Medium), with a vector string of CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability could lead to unauthorized access to sensitive files and directories that were intended to be restricted. An attacker could potentially read files from subdirectories and hidden folders that should have been outside the scope of the allowed paths, potentially exposing sensitive information (GitHub Advisory).

The issue has been patched in versions 1.0.8, 1.1.3, 1.2.3, and 2.0.0-alpha.2 and later. The fix implements stricter glob matching options by setting require_literal_separator: true and require_literal_leading_dot: true. No workarounds were available at the time of publication, making upgrading to a patched version the only solution (GitHub Advisory).