Skip to content

Latest commit

 

History

History
72 lines (59 loc) · 6.89 KB

threat-modeling.md

File metadata and controls

72 lines (59 loc) · 6.89 KB

Threat Model Analysis for tauri-apps/tauri

Threat: Command Injection via Frontend Compromise

  • Description: An attacker gains control of the webview (e.g., through a successful XSS, malicious frontend dependency, or compromised CDN). They craft malicious payloads sent to registered Tauri commands, aiming for arbitrary code execution on the host system. This is not just misusing intended functionality; the attacker attempts to break the command's intended behavior.
  • Impact: Complete system compromise, data exfiltration, data destruction, malware installation, privilege escalation.
  • Affected Tauri Component: #[tauri::command] decorated functions, the IPC mechanism (invoke and event handlers).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strict Command Allowlist: Expose only absolutely essential commands. Avoid generic commands.
    • Rigorous Input Validation (Backend): Validate all input parameters to commands. Use strong typing, length limits, character set restrictions, and format validation (e.g., regex). Treat all frontend input as untrusted.
    • Parameter Type Enforcement: Use Rust's strong typing to enforce expected data types. Avoid String when a more specific type is appropriate.
    • Output Encoding (Backend): If a command returns data, ensure proper output encoding to prevent misinterpretation as code.
    • Principle of Least Privilege: Run the Tauri application with the lowest necessary privileges.

Threat: Path Traversal in File System Operations

  • Description: A Tauri command allows file system access (read/write/delete). The attacker provides a crafted file path with ../ sequences or other manipulation characters, trying to access/modify files outside the intended directory.
  • Impact: Unauthorized access to sensitive files, data leakage, data corruption, potential system compromise (if system files are overwritten).
  • Affected Tauri Component: Tauri APIs for file system access (e.g., tauri::api::path, custom commands using std::fs).
  • Risk Severity: High
  • Mitigation Strategies:
    • Path Canonicalization: Use std::fs::canonicalize to resolve paths to their absolute forms before any file system operations.
    • Path Allowlist: Define a strict allowlist of permitted directories/files. Reject any path outside this allowlist. Never construct paths directly from user input without thorough validation.
    • Input Validation (Filename): Validate filenames separately. Reject filenames with special characters or dangerous sequences.
    • Sandboxing: If possible, run the Tauri application in a sandboxed environment to restrict file system access.

Threat: Unauthorized Network Requests

  • Description: A Tauri command allows network requests (e.g., via reqwest or tauri::api::http). The attacker provides a malicious URL to access internal services, exfiltrate data, or perform other network attacks.
  • Impact: Data exfiltration, network reconnaissance, potential exploitation of internal services, denial of service.
  • Affected Tauri Component: Tauri APIs for network access (e.g., tauri::api::http, custom commands using HTTP clients).
  • Risk Severity: High
  • Mitigation Strategies:
    • URL Allowlist: Maintain a strict allowlist of permitted URLs/domains. Reject requests to URLs not on the list.
    • Input Validation (URL): Validate URLs for expected formats and to ensure they don't contain malicious characters.
    • Network Isolation: Consider running the application in a network-isolated environment.
    • Avoid Sensitive Data in URLs: Don't include sensitive data (API keys, passwords) directly in URLs. Use headers or request bodies.

Threat: Malicious Update Delivery

  • Description: An attacker compromises the update server or the update process, delivering a malicious update to the Tauri application.
  • Impact: Complete system compromise.
  • Affected Tauri Component: Tauri's built-in updater (tauri-plugin-updater) or any custom update mechanism.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Use Tauri Updater: Prefer the built-in Tauri updater, as it includes security features like code signing verification.
    • Secure Update Server: Host the update server on secure, trusted infrastructure with strong access controls and HTTPS.
    • Code Signing: Digitally sign all updates with a trusted code signing certificate.
    • Signature Verification: The Tauri application must verify the digital signature of updates before applying them (Tauri updater does this automatically).
    • Regular Security Audits (Update Server): Conduct regular security audits of the update server.

Threat: CSP Bypass via dangerous_disable_asset_csp_modification Misuse

  • Description: The application disables Tauri's default CSP modifications using dangerous_disable_asset_csp_modification without implementing a robust alternative CSP. This leaves the webview vulnerable to attacks that CSP would normally mitigate.
  • Impact: Increased risk of XSS, data injection, and other webview-based attacks.
  • Affected Tauri Component: Tauri's configuration related to Content Security Policy (tauri.conf.json).
  • Risk Severity: High
  • Mitigation Strategies:
    • Avoid Disabling: Do not disable Tauri's CSP modifications unless absolutely necessary.
    • Implement Strong Custom CSP: If disabling is unavoidable, implement a very strict, custom CSP that provides equivalent or better protection. Thoroughly test the custom CSP.

Threat: CSP Bypass via dangerous_allow_asset_csp_modification Misuse

  • Description: The application allows webview to modify CSP using dangerous_allow_asset_csp_modification without implementing a robust alternative CSP. This leaves the webview vulnerable to attacks that CSP would normally mitigate.
    • Impact: Increased risk of XSS, data injection, and other webview-based attacks.
    • Affected Tauri Component: Tauri's configuration related to Content Security Policy (tauri.conf.json).
    • Risk Severity: High
    • Mitigation Strategies:
      • Avoid Allowing: Do not allow webview to modify Tauri's CSP modifications unless absolutely necessary and you fully understand the implications.
      • Implement Strong Custom CSP: If allowing is unavoidable, implement a very strict, custom CSP that provides equivalent or better protection. Thoroughly test the custom CSP.