[bug] path not allowed on the configured scope

[fogine]

Describe the bug

While having installed tauri-build=1.0.4 & tauri 1.0.5
and with setting

    "allowlist": {
      "all": true,
      "fs": {
        "all": true,
        "readFile": true,
        "writeFile": true,
        "readDir": true,
        "removeFile": true,
        "createDir": true,
        "scope": ["*"]
      },
    },

I could access arbitrary file on hard disk, for example in User's Downloads directory.
The application is developer tool and needs to be able to access any location.

Since upgrading to tauri-build=1.3.0 && tauri=1.3.0.. the wildcard scope setting does not work.. I tried many combinations like:

        "scope": ["**", "**/**", "**/*"]

but still getting error:

path not allowed on the configured scope: /home/user/Downloads/path/to/file

Tested on

Reproduction

No response

Expected behavior

No response

Platform and versions

yarn run v1.22.19
$ tauri info

[✔] Environment
    - OS: Arch Linux Unknown X64
    ✔ webkit2gtk-4.0: 2.40.1
    ✔ rsvg2: 2.56.0
    ✔ rustc: 1.66.1 (90743e729 2023-01-10)
    ✔ Cargo: 1.66.1 (ad779e08b 2023-01-10)
    ✔ rustup: 1.26.0 (2023-05-04)
    ✔ Rust toolchain: stable-x86_64-unknown-linux-gnu (default)
    - node: 16.18.1
    - yarn: 1.22.19
    - npm: 8.19.2

[-] Packages
    - tauri [RUST]: 1.3.0
    - tauri-build [RUST]: 1.3.0
    - wry [RUST]: 0.24.3
    - tao [RUST]: 0.16.1
    - @tauri-apps/api [NPM]: 1.3.0
    - @tauri-apps/cli [NPM]: 1.3.1

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../dist
    - devPath: http://localhost:1420/
    - framework: Vue.js
    - bundler: Vite
Done in 7.04s.

Stack trace

No response

Additional context

No response

[FabianLars]

* indeed stopped working due to a security related fix (also published as a 1.0.X release). ** however still works fine for me on 1.3 🤔

Can you try deleting the target/ folder and try again (just to make sure we're starting fresh)? If it still doesn't work please provide a minimal reproduction repo we can try.

[fogine]

Ok, with tauri=1.0.4 I had the following scope setting:

"scope": ["*", "$APP", "$APP/*", "$CACHE", "$CACHE/*", "$CONFIG", "$CONFIG/*", "$LOG", "$LOG/*", "$HOME/*"]

I managed to be able to read the most of the file/directory paths with the following setting with tauri=1.3.0:

"scope": ["**", "$APP", "$APP/**", "$CACHE", "$CACHE/**", "$CONFIG", "$CONFIG/**", "$LOG", "$LOG/**", "$HOME/**"]

It was not enough to just provide

"scope": ["**"]

which would still not allow to read the application's related $APP/$CACHE/$LOG directory and files...

However I still can NOT read any text file which contains leading . (dot) character in its name eg. .filename.txt

//pseudocode
import { readTextFile } from '@tauri-apps/api/fs';

await readTextFile('/home/user/Downloads/create-this-exact/.filename.txt');//will complain about path not allowed on the configured scope

Here is reproduction repo, clone it, create text file at /home/CHANGEME/Downloads/create-this-exact/.filename.txt and run yarn && yarn tauri dev
https://github.com/fogine/tauri-bug-repro/blob/master/src/App.vue

[FabianLars]

Ahh, so it's with a leading dot. I think this is part of this issue then: #6158

[fogine]

Looks like it. It does not matter whether the leading dot is in the filename or in the directory name somewhere in the path.

Also one breaking change since tauri=1.0.4 worth mentioning. If you are trying to read file paths with double // path segment separator eg. home/user/Downloads//file.txt (which is kind of invalid but worked before) you would get path not allowed on the configured scope error.. so for anybody reading this, make sure to normalize the path with import { normalize } from '@tauri-apps/api/path'

[amrbashir]

@fogine

Looks like it. It does not matter whether the leading dot is in the filename or in the directory name somewhere in the path.

to match the hidden directories or files, you need to explicitly match the dot, for your use-case you need to define the scope like this:

"scope": ["$DOWNLOAD/create-this-exact/.*", "$DOWNLOAD/create-this-exact/*"]

Also one breaking change since tauri=1.0.4 worth mentioning. If you are trying to read file paths with double // path segment separator eg. home/user/Downloads//file.txt (which is kind of invalid but worked before) you would get path not allowed on the configured scope error.. so for anybody reading this, make sure to normalize the path with import { normalize } from '@tauri-apps/api/path'

I wouldn't consider it a breaking change since it was invalid behavior in the first place and needed to be fixed.

[fogine]

Thanks @amrbashir
Ok so I have set scope **/.* to be able to read /home/user/Downloads/create-this-exact/.filename.txt.
What about leading dot character in directory names? I have also path like the following
/home/user/Downloads/.create-this-exact/.filename.txt

The path in the actual application is dynamic and is not known beforehand. So I need to set wildcard scope as well.
Neither scope **/.**/.* nor .**/.* works however.

[amrbashir]

I have brought this issue to the team and we will be discussing how to enable this, probably it will be behind a setting in tauri.conf.json, please follow the other issue to get notified when it is fixed.