Package Instance

@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
## Summary

`@tinacms/cli` recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets.

If a link already exists under the media root, Tina accepts a path like `pivot/written-from-media.txt` as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete.

## Details

The dev media handlers validate user-controlled paths with:

```ts
function resolveWithinBase(userPath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, userPath));
  if (resolved === resolvedBase) {
    return resolvedBase;
  }
  if (resolved.startsWith(resolvedBase + path.sep)) {
    return resolved;
  }
  throw new PathTraversalError(userPath);
}

function resolveStrictlyWithinBase(userPath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir) + path.sep;
  const resolved = path.resolve(path.join(baseDir, userPath));
  if (!resolved.startsWith(resolvedBase)) {
    throw new PathTraversalError(userPath);
  }
  return resolved;
}
```

But the validated path is then used directly for real filesystem access:

```ts
filesStr = await fs.readdir(validatedPath);
...
await fs.ensureDir(path.dirname(saveTo));
file.pipe(fs.createWriteStream(saveTo));
...
await fs.remove(file);
```

This does not account for symlinks/junctions already present below the media root. A path such as `pivot/secret.txt` can be lexically inside the media directory while the filesystem target is outside it.

## Local Reproduction

I verified this locally with a real junction on Windows.

Test layout:

- media root: `D:\bugcrowd\tinacms\temp\junction-repro4\public\uploads`
- junction under media root: `public\uploads\pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside`
- file outside the media root: `outside\secret.txt`

Tina's current media-path validation logic was applied and used to perform the same list/write operations the route handlers use.

Observed result:

```json
{
  "media": {
    "base": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\public\\uploads",
    "resolvedListPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\public\\uploads\\pivot",
    "listedEntries": [
      "secret.txt"
    ],
    "resolvedWritePath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\public\\uploads\\pivot\\written-from-media.txt",
    "outsideWriteExists": true,
    "outsideWriteContents": "MEDIA_ESCAPE"
  }
}
```

This shows the problem clearly:

- the path validator accepted `pivot`
- listing revealed a file from outside the media root
- writing to `pivot/written-from-media.txt` created `outside\written-from-media.txt`

The delete path uses the same flawed containment model and should be hardened at the same time.

## Impact

- **Out-of-root file listing** via `/media/list/...`
- **Out-of-root file write** via `/media/upload/...`
- **Likely out-of-root file delete** via `/media/...` `DELETE`, using the same path-validation gap
- **Bypass of the recent path traversal hardening** for any deployment whose media tree contains a link to another location

This is especially relevant in development and self-hosted workflows where the media directory may contain symlinks or junctions intentionally or via repository content.

## Recommended Fix

Harden media path validation with canonical filesystem checks:

1. resolve the real base path with `fs.realpath()`
2. resolve the real target path, or for writes the nearest existing parent
3. compare canonical paths rather than lexical strings
4. reject any operation that traverses through a symlink/junction to leave the real media root

`path.resolve(...).startsWith(...)` is not sufficient for filesystem security on linked paths.

## Resources

- `packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts`
- `packages/@tinacms/cli/src/server/models/media.ts`
- `packages/@tinacms/cli/src/utils/path.ts`

@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files
### Summary
A Path Traversal vulnerability in `@tinacms/graphql` allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the `relativePath` parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build scripts.

### Details
The vulnerability exists in the path validation logic within `@tinacms/graphql`. Specifically, the regex-based validation in `getValidatedPath` fails to recognize backslashes (`\`) as directory separators on non-Windows platforms (Mac/Linux). An attacker can provide a path like `x\..\..\..\package.json`, which bypasses the validation check but is subsequently treated as a traversal path during file I/O operations by the underlying `fs` modules and path normalization utilities.

Incriminated code areas:
- [packages/@tinacms/graphql/src/database/bridge/filesystem.ts](tinacms/packages/@tinacms/graphql/src/database/bridge/filesystem.ts): [assertWithinBase](tinacms/graphql/src/database/bridge/filesystem.ts#7-35) function.
- [packages/@tinacms/graphql/src/resolver/index.ts](tinacms/packages/@tinacms/graphql/src/resolver/index.ts): `getValidatedPath` function.

### PoC
1. Start the TinaCMS development server.
2. Send a malicious GraphQL mutation to overwrite a project file (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json)):

```bash
curl -X POST http://localhost:4001/graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "mutation { updateDocument(collection: \"global\", relativePath: \"x\\\\..\\\\..\\\\..\\\\package.json\", params: { global: { header: { name: \"OVERWRITTEN\" } } }) { __typename } }"}'
```

3. Observe that the root [package.json](tinacms/examples/tina-self-hosted-demo/package.json) has been replaced with the provided payload.

<img width="1424" height="516" alt="2026-03-15_12-24-05 PM" src="https://github.com/user-attachments/assets/9fdf94ce-2183-4a24-9cd9-48f21deb9768" />

<img width="1387" height="774" alt="2026-03-15_12-27-33 PM" src="https://github.com/user-attachments/assets/676f083b-f934-4cf2-978b-bb2fabee0216" />

### Impact
This is an **Arbitrary File Write** vulnerability. Any unauthenticated user with network access to the GraphQL API can:
- Overwrite critical server configuration files (e.g., [package.json](tinacms/examples/tina-self-hosted-demo/package.json), [tsconfig.json](tinacms/examples/tina-self-hosted-demo/tsconfig.json)).
- Host malicious scripts in the `public/` directory for client-side attacks.
- Perform **Arbitrary Code Execution** by modifying build scripts or server-side logic files that are subsequently executed by the environment.



**Weaknesses:**
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-73**: External Control of File Name or Path

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
## Summary

`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:

- `path.resolve(path.join(baseDir, filepath))`
- `startsWith(resolvedBase + path.sep)`

That blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered "inside" the base even though the real filesystem target can be outside it.

As a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.

## Details

The current bridge validation is:

```ts
function assertWithinBase(filepath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, filepath));
  if (
    resolved !== resolvedBase &&
    !resolved.startsWith(resolvedBase + path.sep)
  ) {
    throw new Error(
      `Path traversal detected: "${filepath}" escapes the base directory`
    );
  }
  return resolved;
}
```

But the bridge then performs real filesystem I/O on the resulting path:

```ts
public async get(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  return (await fs.readFile(resolved)).toString();
}

public async put(filepath: string, data: string, basePathOverride?: string) {
  const basePath = basePathOverride || this.outputPath;
  const resolved = assertWithinBase(filepath, basePath);
  await fs.outputFile(resolved, data);
}

public async delete(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  await fs.remove(resolved);
}
```

This is a classic realpath gap:

1. validation checks the lexical path string
2. the filesystem follows the link target during I/O
3. the actual target can be outside the intended root

This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:

```ts
const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);
```

Database write and delete operations then call the bridge:

```ts
await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);
```

## Local Reproduction

This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.

Test layout:

- content root: `D:\bugcrowd\tinacms\temp\junction-repro4`
- allowed collection path: `content/posts`
- junction inside collection: `content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside`
- file outside content root: `outside\secret.txt`

Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.

Observed result:

```json
{
  "graphqlBridge": {
    "collectionPath": "content/posts",
    "requestedRelativePath": "pivot/owned.md",
    "validatedRealPath": "content\\posts\\pivot\\owned.md",
    "bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
    "bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
    "outsideGraphqlWriteExists": true,
    "outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
  }
}
```

That is the critical point:

- the path was accepted as inside `content/posts`
- the bridge read `outside\secret.txt`
- the bridge wrote `outside\owned.md`

So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.

## Impact

- **Arbitrary file read/write outside the configured content root**
- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`
- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked
- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations

The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.

## Recommended Fix

The containment check needs to compare canonical filesystem paths, not just string-normalized paths.

For example:

1. resolve the base with `fs.realpath()`
2. resolve the candidate path's parent with `fs.realpath()`
3. reject any request whose real target path escapes the real base
4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file

In short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.

## Resources

- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`
- `packages/@tinacms/graphql/src/database/index.ts`
- `packages/@tinacms/graphql/src/resolver/index.ts`