[bug] paths with square brackets don't work with fs plugin methods, and can corrupt $APPLOCALDATA/.persisted-scope

[lendle]

Describe the bug

When drag and dropping a file into the webview and trying to use the path, there are a couple issues if the path has square brackets. I believe this also happens with the dialog plugin in addition to drag and drop, but I haven't explicitly tested it now that I've discovered this issue. I think it has to do with how the paths are being handled when added to the allowed scope.

1. If a path has both open and closed square brackets ([a].txt), then fs functions like exists fail with forbidden path: <the path>.
2. If a path has just an open square bracket ([a.txt), calls to fs methods fail with [Error] invalid glob pattern: Pattern syntax error near position 11: invalid range pattern. Also, other, good paths will no longer work until the app shuts down. And, if the persisted-scope plugin is in use, $APPLOCALDATA/.persisted-scope gets corrupted and no paths will work, even after the app is restarted. Deleting the .persisted-scope file fixes it until another bad path is dropped.

Reproduction

Example project: https://github.com/lendle/tauri-app-bad-filenames created with npm create tauri-app@latest using sveltekit. Also added fs and persisted-scope plugins and the following listener:

getCurrentWindow().onDragDropEvent((event) => {
      if (event.payload.type === "drop") {
        const paths = event.payload.paths;
        console.log("User dropped", paths);

        for (const path of paths) {
          exists(path)
            .then((ex) => console.log(path, "exists? ", ex))
            .catch(console.error);
        }
      }
    });
    return () => unlistenPromise.then((unlisten) => unlisten());
  });

To reproduce:

1. Start the app in dev and open the console
2. Drag any file(s) that does/do not have square brackets in the path or filename into the window, you should see a message fore each like /path/to/a.txt- "exists? " - true
3. Drag a file that has matching square brackets, e.g. [a].txt, you will see a message like forbidden path: /path/to/[a].txt, even though the path should be allowed as the user dragged it into the app
4. Drag a file that as a single open square bracket, e.g. [a.txt, you'll see an error like invalid glob pattern: Pattern syntax error near position 11: invalid range pattern.
5. Drag more files in, regardless of the name, you will see an error like that in 4, even after restarting the app.

Expected behavior

In all cases, you should see a message in the logs like /path/to/[whatever]/file.txt exists true, regardless of who many square brackets there are in the path.

Full tauri info output

npm run tauri info

> tauri-app-bad-filenames@0.1.0 tauri
> tauri info

[✔] Environment
    - OS: Mac OS 14.6.1 arm64 (X64)
    ✔ Xcode Command Line Tools: installed
    ✔ rustc: 1.79.0 (129f3b996 2024-06-10)
    ✔ cargo: 1.79.0 (ffa9cf99a 2024-06-03)
    ✔ rustup: 1.27.1 (54dd3d00f 2024-04-24)
    ✔ Rust toolchain: 1.79.0-aarch64-apple-darwin (default)
    - node: 22.5.1
    - npm: 10.8.3

[-] Packages
    - tauri 🦀: 2.1.1
    - tauri-build 🦀: 2.0.3
    - wry 🦀: 0.47.0
    - tao 🦀: 0.30.8
    - @tauri-apps/api : 2.1.1
    - @tauri-apps/cli : 2.1.0

[-] Plugins
    - tauri-plugin-shell 🦀: 2.0.2
    - @tauri-apps/plugin-shell : 2.0.1
    - tauri-plugin-persisted-scope 🦀: 2.0.3
    - @tauri-apps/plugin-persisted-scope : not installed!
    - tauri-plugin-fs 🦀: 2.0.3
    - @tauri-apps/plugin-fs : 2.0.2

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../build
    - devUrl: http://localhost:1420/
    - framework: Svelte
    - bundler: Vite

Stack trace

No response

Additional context

No response

[lendle]

Confirmed the same thing happens with dialog.open

[lendle]

I've done more investigation and am going to close this in favor of two related bug reports