Skip to content

Latest commit

 

History

History
126 lines (90 loc) · 10.7 KB

mitigations.md

File metadata and controls

126 lines (90 loc) · 10.7 KB

Mitigation Strategies Analysis for tauri-apps/tauri

Mitigation Strategy: Capability-Based Security (Tauri's allowlist)

  • Mitigation Strategy: Capability-Based Security (Tauri's allowlist)

    • Description:

      1. Start with an Empty Allowlist: Begin with a completely empty allowlist in your tauri.conf.json file. This ensures that the frontend has no access to any Tauri APIs by default.
      2. Identify Required Capabilities: Carefully analyze your application's frontend code to determine the minimum set of Tauri APIs and custom commands it needs to function.
      3. Incrementally Add Capabilities: Add entries to the allowlist only for the specific APIs and commands identified in step 2. Be as granular as possible. For example, if you only need to read a specific file, allow only that file and only the read operation. Use glob patterns and environment variables for flexibility, but always prioritize the most restrictive setting.
      4. Regular Review: Periodically review the allowlist to ensure it remains minimal and reflects the current needs of the application. Remove any unused capabilities. This should be part of your regular development workflow.

    • Threats Mitigated:

      • Remote Code Execution (RCE) (Severity: Critical): Limits the attack surface by restricting access to potentially dangerous APIs (e.g., shell, fs, http). An attacker compromising the frontend cannot directly execute arbitrary commands on the host system.
      • Privilege Escalation (Severity: High): Prevents the frontend from accessing backend functionality it shouldn't have access to, even if the frontend is compromised.
      • Data Exfiltration (Severity: High): Restricts access to APIs that could be used to read or write sensitive data (e.g., files, environment variables).

    • Impact:

      • RCE: Risk significantly reduced (the primary defense against RCE in Tauri).
      • Privilege Escalation: Risk significantly reduced.
      • Data Exfiltration: Risk significantly reduced.

    • Currently Implemented:

      • tauri.conf.json contains an allowlist that grants access to fs.readFile for a specific configuration file ($APPDATA/config.json) and dialog.open for file selection.

    • Missing Implementation:

      • The shell.open capability is currently allowed for all URLs. This should be restricted to a allowlist of known-safe URLs or removed if not strictly necessary.
      • Custom commands are not yet included in the allowlist; they must be added with specific, granular permissions. Each custom command should be individually listed and its allowed arguments (if any) should be defined.

Mitigation Strategy: Context Isolation

  • Mitigation Strategy: Context Isolation

    • Description:

      1. Enable Context Isolation: In your tauri.conf.json file, set tauri.security.contextIsolation to true. This is a critical security setting.
      2. Refactor Frontend Code: If you were previously accessing Tauri APIs directly from the frontend context (e.g., using window.tauri), you must refactor your code to use the IPC mechanism exclusively. The invoke function (from @tauri-apps/api) should be used to communicate with the backend.
      3. Preload Scripts: Use preload scripts (build.frontendDist and tauri.security.csp in tauri.conf.json) to expose specific, controlled functionality to the frontend. These scripts run in a separate context with access to the Tauri API, but they act as a bridge, limiting direct access from the main frontend. The preload script should only expose the absolute minimum necessary functions.
      4. Communicate via IPC: All communication between the isolated frontend and the backend must go through the defined IPC channels.

    • Threats Mitigated:

      • Cross-Site Scripting (XSS) (Severity: High): If an attacker injects malicious JavaScript into the frontend, context isolation prevents them from directly accessing the Tauri API, significantly limiting the damage. The attacker is confined to the isolated context.
      • Remote Code Execution (RCE) (Severity: Critical): Indirectly mitigates RCE by severely limiting the attacker's ability to interact with the backend even if the frontend is compromised. The attacker cannot directly call Tauri APIs.

    • Impact:

      • XSS: Risk significantly reduced (attacker's capabilities are severely limited to the isolated context).
      • RCE: Risk indirectly but significantly reduced.

    • Currently Implemented:

      • tauri.conf.json has contextIsolation set to true.
      • A preload script (src/preload.js) exposes a limited set of functions for interacting with the backend via IPC.

    • Missing Implementation:

      • Some frontend code still attempts to access window.tauri directly (legacy code). This must be refactored to use the IPC mechanism via the preload script. This is a high-priority fix.

Mitigation Strategy: Disable Node.js Integration (if not needed)

  • Mitigation Strategy: Disable Node.js Integration (if not needed)

    • Description:

      1. Assess Node.js Requirements: Determine if your frontend absolutely requires Node.js features. If your frontend is purely web-based (HTML, CSS, JavaScript) and doesn't use Node.js modules, you should disable Node.js integration.
      2. Set build.withGlobalTauri: In your tauri.conf.json file, set build.withGlobalTauri to false. This prevents the injection of the global __TAURI__ object, which provides access to Node.js APIs.
      3. Verify WebView Settings: Ensure that no other settings in your WebView configuration are enabling Node.js integration.

    • Threats Mitigated:

      • Remote Code Execution (RCE) (Severity: Critical): If Node.js integration is enabled and the frontend is compromised (e.g., via XSS), the attacker could potentially use Node.js modules to execute arbitrary code on the host system. Disabling Node.js integration eliminates this risk.
      • Cross-Site Scripting (XSS) (Severity: High): Reduces the impact of XSS by preventing access to Node.js APIs that could be used for malicious purposes.

    • Impact:

      • RCE: Risk significantly reduced (eliminates a major RCE vector if Node.js is not needed).
      • XSS: Risk reduced.

    • Currently Implemented:

      • tauri.conf.json has build.withGlobalTauri set to false.

    • Missing Implementation:

      • None. This mitigation is fully implemented.

Mitigation Strategy: Avoid dangerousRemoteDomainIpcAccess

  • Mitigation Strategy: Avoid dangerousRemoteDomainIpcAccess

    • Description:

      1. Do NOT Enable: In your tauri.conf.json file, ensure that tauri.security.dangerousRemoteDomainIpcAccess is not set to true. The default is false, and you should leave it that way unless you have an extremely compelling reason to change it, and you fully understand the security implications.
      2. If Absolutely Necessary (Highly Discouraged): If you must enable this setting (which is strongly discouraged), you must implement extremely strict origin checks and message validation on both the frontend and backend. You are essentially opening up your application to cross-origin communication, which is a significant security risk.

    • Threats Mitigated:

      • Cross-Site Scripting (XSS) (Severity: High): Prevents iframes from different origins from communicating with your Tauri backend, mitigating a potential XSS vector.
      • Remote Code Execution (RCE) (Severity: Critical): By preventing cross-origin IPC, you reduce the risk of an attacker in a different origin exploiting vulnerabilities in your backend.

    • Impact:

      • XSS: Risk significantly reduced (by default).
      • RCE: Risk significantly reduced (by default).

    • Currently Implemented:

      • tauri.conf.json does not have dangerousRemoteDomainIpcAccess enabled (it is false by default).

    • Missing Implementation:

      • None. This mitigation is fully implemented by not enabling the dangerous setting.

Mitigation Strategy: Secure Updater Configuration

  • Mitigation Strategy: Secure Updater Configuration

    • Description:

      1. Use Tauri's Built-in Updater: Utilize the updater provided by Tauri (@tauri-apps/api/updater). This updater is designed with security in mind.
      2. Configure tauri.conf.json: In the tauri.conf.json file, configure the tauri.updater section.
      3. Set active to true: Enable the updater.
      4. Specify endpoints: Provide a list of secure (HTTPS) endpoints where your update manifests are hosted.
      5. Set dialog to true (Optional): Enable the built-in update dialog to inform users about available updates.
      6. Configure pubkey: Crucially, set the pubkey field to the public key corresponding to the private key you use to sign your updates. This allows Tauri to verify the authenticity and integrity of downloaded updates.
      7. Sign your updates: Use the Tauri CLI to sign your application builds. This creates a signature file that is included in the update package.

    • Threats Mitigated:

      • Man-in-the-Middle (MitM) Attacks (Severity: Critical): Prevents attackers from intercepting and modifying update files, ensuring that users receive genuine updates.
      • Malicious Update Distribution (Severity: Critical): Prevents attackers from distributing malicious updates disguised as legitimate updates.

    • Impact:

      • MitM Attacks: Risk significantly reduced (if updates are signed and the public key is correctly configured).
      • Malicious Update Distribution: Risk significantly reduced.

    • Currently Implemented:

      • tauri.conf.json has the updater section configured with active: true, endpoints pointing to a secure server, and dialog: true.

    • Missing Implementation:

      • The pubkey field is not yet set in tauri.conf.json. This is a critical missing piece and must be implemented before deploying updates. The application builds are not currently being signed.