The Tauri command `write_text_file_cmd` took an arbitrary `path: String`
and flowed it straight into `tokio::fs::write`, with no main-window
guard, no canonicalisation, and no scope check. A compromised webview
could write anywhere the process had write access — overwriting shell
init files, dropping a runner into `~/.config/autostart`, etc. The
in-file comment "the dialog already constrains the user's choice"
described an intended invariant the IPC surface never enforced.
This change:
- adds `ensure_main_window(&window)?` so only the main webview can
invoke the command;
- canonicalises the requested path's parent (rejecting nonexistent
parents and resolving symlinks) before joining the filename;
- asserts the canonical target sits inside an allowlisted base
(app data, app local data, downloads, documents, desktop), so a
`"../../etc/passwd"` payload — even one obtained by symlink trickery
in the chosen save dir — is refused with a clear error.
Six unit tests cover: outside-allowlist rejection, path-traversal
rejection, nested inside-allowlist acceptance, plain inside-allowlist
acceptance, nonexistent-parent rejection, and the pure
`is_inside_any_base` prefix check.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>