{"id":"GHSA-g9c2-gf25-3x67","summary":"@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions","details":"## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir);\n  const resolved = path.resolve(path.join(baseDir, filepath));\n  if (\n    resolved !== resolvedBase &&\n    !resolved.startsWith(resolvedBase + path.sep)\n  ) {\n    throw new Error(\n      `Path traversal detected: \"${filepath}\" escapes the base directory`\n    );\n  }\n  return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n  const basePath = basePathOverride || this.outputPath;\n  const resolved = assertWithinBase(filepath, basePath);\n  await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -\u003e D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n  \"graphqlBridge\": {\n    \"collectionPath\": \"content/posts\",\n    \"requestedRelativePath\": \"pivot/owned.md\",\n    \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n    \"outsideGraphqlWriteExists\": true,\n    \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n  }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path's parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`","aliases":["CVE-2026-34604"],"modified":"2026-04-06T17:04:10.068665Z","published":"2026-04-01T00:25:22Z","database_specific":{"severity":"HIGH","nvd_published_at":"2026-04-01T17:28:41Z","github_reviewed_at":"2026-04-01T00:25:22Z","github_reviewed":true,"cwe_ids":["CWE-22","CWE-59"]},"references":[{"type":"WEB","url":"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34604"},{"type":"WEB","url":"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"},{"type":"PACKAGE","url":"https://github.com/tinacms/tinacms"}],"affected":[{"package":{"name":"@tinacms/graphql","ecosystem":"npm","purl":"pkg:npm/%40tinacms/graphql"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-g9c2-gf25-3x67/GHSA-g9c2-gf25-3x67.json","last_known_affected_version_range":"\u003c= 2.2.0"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}