+ "details": "## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n const resolvedBase = path.resolve(baseDir);\n const resolved = path.resolve(path.join(baseDir, filepath));\n if (\n resolved !== resolvedBase &&\n !resolved.startsWith(resolvedBase + path.sep)\n ) {\n throw new Error(\n `Path traversal detected: \"${filepath}\" escapes the base directory`\n );\n }\n return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n const resolved = assertWithinBase(filepath, this.outputPath);\n return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n const basePath = basePathOverride || this.outputPath;\n const resolved = assertWithinBase(filepath, basePath);\n await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n const resolved = assertWithinBase(filepath, this.outputPath);\n await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -> D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n \"graphqlBridge\": {\n \"collectionPath\": \"content/posts\",\n \"requestedRelativePath\": \"pivot/owned.md\",\n \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n \"outsideGraphqlWriteExists\": true,\n \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path's parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments