Severity: LOW
Problem
src-tauri/src/storage.rs lines 436-439: remove_image_file() deletes whatever path is passed to it without verifying the path is within the expected image_root directory:
fn remove_image_file(path: &str) -> std::io::Result<()> {
let p = PathBuf::from(path);
if p.exists() {
fs::remove_file(p)?;
}
Ok(())
}Called from delete_entry and clear_history using values from the SQLite database. While no user input vector exists today, a corrupted/tampered database could cause arbitrary file deletion.
Proposed Solution
Add a path validation check before deletion:
fn remove_image_file(path: &str, image_root: &Path) -> std::io::Result<()> {
let p = PathBuf::from(path);
if !p.starts_with(image_root) {
return Err(std::io::Error::new(std::io::ErrorKind::PermissionDenied, "path outside image_root"));
}
if p.exists() {
fs::remove_file(p)?;
}
Ok(())
}References
Severity: LOW
Problem
src-tauri/src/storage.rslines 436-439:remove_image_file()deletes whatever path is passed to it without verifying the path is within the expectedimage_rootdirectory:Called from
delete_entryandclear_historyusing values from the SQLite database. While no user input vector exists today, a corrupted/tampered database could cause arbitrary file deletion.Proposed Solution
Add a path validation check before deletion:
References
PLAN.mditem Validate file deletion paths are within image_root #18