understanding-tauri-lifecycle-security

仓库: dchuk/claude-code-tauri-skills
安装量: 36
排名: #19435

安装

npx skills add https://github.com/dchuk/claude-code-tauri-skills --skill understanding-tauri-lifecycle-security

Security in Tauri applications depends on systematic protection across all lifecycle stages. The weakest link in your application lifecycle essentially defines your security posture.

Core Security Principle

Tauri implements a two-tier security model:

  • Rust Core: Full system access

  • WebView Frontend: Access only through controlled IPC layer

Any code executed in the WebView has only access to exposed system resources via the well-defined IPC layer.

Development Phase Threats

Upstream Dependency Risks

Third-party dependencies may lack the strict oversight that Tauri maintains.

Mitigation Strategies:

# Scan Rust dependencies for vulnerabilities
cargo audit

# Scan npm dependencies
npm audit

# Advanced supply chain analysis
cargo vet
cargo crev
cargo supply-chain

Best Practices:

  • Keep Tauri, rustc, and nodejs current to patch vulnerabilities

  • Evaluate trustworthiness of third-party libraries before integration

  • Prefer consuming critical dependencies via git hash revisions rather than version ranges

# Cargo.toml - Pin to specific commit hash
[dependencies]
critical-lib = { git = "https://github.com/org/critical-lib", rev = "abc123def456" }

Development Server Exposure

Development servers typically run unencrypted and unauthenticated on local networks, allowing attackers to push malicious frontend code to development devices.

Threat Scenario:

Attacker on same network -> Intercepts dev server traffic -> Injects malicious frontend code

Mitigation:

  • Develop only on trusted networks

  • Implement mutual TLS (mTLS) authentication when necessary

  • Note: Tauri's built-in dev server lacks mutual authentication features

Machine Hardening

| Avoid admin accounts for coding | Limit blast radius of compromise

| Block secrets from version control | Prevent credential leaks

| Use hardware security tokens | Minimize compromise impact

| Minimize installed applications | Reduce attack surface

Source Control Security

Required Protections:

  • Implement proper access controls in version control systems

  • Require contributor commit signing to prevent unauthorized attribution

  • Use established hardening guidelines for authentication workflows

# Enable commit signing
git config --global commit.gpgsign true
git config --global user.signingkey YOUR_KEY_ID

Build Phase Threats

Build System Trust

CI/CD systems access source code, secrets, and can modify builds without local verification.

Threat Vectors:

  • Compromised CI/CD provider

  • Malicious build scripts

  • Unauthorized secret access

  • Build artifact tampering

Mitigation Options:

  • Trust reputable third-party providers (GitHub Actions, GitLab CI)

  • Host and control your own infrastructure for sensitive applications

Binary Signing

Applications must be cryptographically signed for their target platform.

Platform Requirements:

| macOS | Apple Developer Certificate + Notarization

| Windows | Code Signing Certificate (EV recommended)

| Linux | GPG signing for packages

Key Protection:

# Use hardware tokens for signing credentials
# Prevents compromised build systems from leaking keys

# Example: Using YubiKey for code signing
pkcs11-tool --module /usr/lib/opensc-pkcs11.so --sign

Hardware tokens prevent key exfiltration but cannot prevent key misuse on a compromised system.

Reproducible Builds Challenge

Rust is not fully reliable at producing reproducible builds despite theoretical support. Frontend bundlers similarly struggle with reproducible output.

Implications:

  • Cannot entirely eliminate reliance on build system trust

  • Implement multiple verification layers

  • Consider build provenance attestation

Distribution Threats

Loss of control over manifest servers, build servers, or binary hosting creates critical vulnerability points.

Attack Vectors

Manifest Server Compromise -> Malicious update metadata -> Users download tampered binaries
Build Server Compromise -> Injected malware at build time -> Signed malicious releases
Binary Host Compromise -> Replaced binaries -> Users download malicious versions

Mitigation Strategies

  • Secure Update Channels

Use HTTPS for all update communications

  • Implement certificate pinning where possible

  • Verify update signatures client-side

  • Binary Integrity

Publish checksums alongside releases

  • Use signed manifests for updates

  • Consider transparency logs

  • Infrastructure Security

Multi-factor authentication for all distribution systems

  • Audit logging for binary access

  • Separate credentials for different environments

Runtime Threats

WebView Security Model

Tauri assumes webview components are inherently insecure and implements multiple protection layers.

Defense Layers:

                    +------------------+
                    |   Untrusted      |
                    |   Frontend Code  |
                    +--------+---------+
                             |
                    +--------v---------+
                    |       CSP        |  <- Restricts communication types
                    +--------+---------+
                             |
                    +--------v---------+
                    |   Capabilities   |  <- Controls API access
                    +--------+---------+
                             |
                    +--------v---------+
                    |   Permissions    |  <- Fine-grained command control
                    +--------+---------+
                             |
                    +--------v---------+
                    |      Scopes      |  <- Resource-level restrictions
                    +--------+---------+
                             |
                    +--------v---------+
                    |   Rust Backend   |  <- Trusted system access
                    +------------------+

Content Security Policy (CSP)

CSP restricts webview communication types to prevent XSS and injection attacks.

Configuration in tauri.conf.json:

{
  "app": {
    "security": {
      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    }
  }
}

CSP Best Practices:

  • Start with restrictive policy, relax only as needed

  • Avoid 'unsafe-eval' and 'unsafe-inline' for scripts

  • Use nonces or hashes for inline scripts when required

Capabilities Configuration

Define which permissions are granted to specific windows.

Example: src-tauri/capabilities/main.json

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "main-capability",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "core:path:default",
    "core:window:allow-set-title",
    "fs:read-files"
  ]
}

Security Notes:

  • Windows in multiple capabilities merge security boundaries

  • Security boundaries depend on window labels, not titles

  • Capabilities protect against frontend compromise and privilege escalation

Permission Scopes

Control resource access at a granular level.

Example: File System Scope

# src-tauri/permissions/fs-restricted.toml
[[permission]]
identifier = "fs-home-restricted"
description = "Allow home directory access except secrets"
commands.allow = ["read_file", "write_file"]

[[scope.allow]]
path = "$HOME/*"

[[scope.deny]]
path = "$HOME/.ssh/*"

[[scope.deny]]
path = "$HOME/.gnupg/*"

[[scope.deny]]
path = "$HOME/.aws/*"

Prototype Freezing

Prevent JavaScript prototype pollution attacks.

{
  "app": {
    "security": {
      "freezePrototype": true
    }
  }
}

Remote API Access Control

Control which external URLs can access Tauri commands.

{
  "identifier": "remote-api-capability",
  "remote": {
    "urls": ["https://*.yourdomain.com"]
  },
  "permissions": ["limited-api-access"]
}

Threat Mitigation Quick Reference

| Development | Dependency vulnerabilities | cargo audit, npm audit, pin versions

| Development | Dev server exposure | Trusted networks, mTLS

| Development | Credential leaks | Hardware tokens, gitignore secrets

| Build | CI/CD compromise | Trusted providers, self-hosted options

| Build | Unsigned binaries | Platform signing, hardware key storage

| Distribution | Manifest tampering | HTTPS, certificate pinning

| Distribution | Binary replacement | Checksums, signed manifests

| Runtime | XSS/injection | CSP, input validation

| Runtime | Privilege escalation | Capabilities, permissions, scopes

| Runtime | Prototype pollution | freezePrototype: true

Security Configuration Template

Minimal Secure Configuration:

{
  "app": {
    "security": {
      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'",
      "freezePrototype": true,
      "capabilities": ["main-capability"],
      "dangerousDisableAssetCspModification": false,
      "assetProtocol": {
        "enable": false,
        "scope": []
      }
    }
  }
}

Capability File Structure:

src-tauri/
├── capabilities/
│   ├── main.json          # Main window capabilities
│   └── settings.json      # Settings window capabilities
├── permissions/
│   └── custom-scope.toml  # Custom permission scopes
└── tauri.conf.json

Vulnerability Reporting

If you discover security vulnerabilities in Tauri applications:

  • Use GitHub Vulnerability Disclosure on affected repositories

  • Email: security@tauri.app

  • Do not publicly discuss findings before coordinated resolution

  • Limited bounty consideration available

Key Takeaways

  • Defense in Depth: No single layer provides sufficient protection

  • Least Privilege: Grant minimum necessary permissions

  • Update Regularly: WebView patches reach users faster through OS updates

  • Trust Boundaries: Frontend code is untrusted; validate everything in Rust

  • Lifecycle Coverage: Security must span development through runtime

返回排行榜