Tauri Shell Plugin Improper Validation in Open Endpoint Allows Remote Code Execution

A vulnerability in the Tauri shell plugin, prior to version 2.2.1, allows for remote code execution by improperly validating protocols in the 'open' endpoint. This endpoint, intended to interface with the system's default program handler, could be exploited to execute code by passing untrusted input that included dangerous protocols like 'file://', 'smb://', or 'nfs://'. The vulnerability requires either direct exposure of the endpoint to users or code execution within the frontend of a Tauri application. Users not affected by this vulnerability have either configured a validation regex or disabled the 'open' endpoint in the plugin settings.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, create a new Tauri application and add the shell plugin. Then, invoke the 'open' command through the Tauri internal API, passing a 'file://' URL that points to a local executable, such as the Windows Calculator. This will result in the specified program being executed on the system.

Remediation

Users can update to version 2.2.1 or later, which includes the necessary patch. If an immediate update is not possible, the 'open' endpoint can be disabled in the plugin configuration or replaced with the 'opener' plugin, which is recommended.