fix(deps): update rust crate tauri to v1.6.7 [security] #90
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.2.4
->1.6.7
GitHub Vulnerability Alerts
CVE-2023-31134
Impact
The Tauri IPC is usually strictly isolated from external websites but the isolation can be bypassed by redirecting an existing Tauri window to an external website. This is either possible by an application implementing a feature for users to visit arbitrary websites or due to a bug allowing the open redirect1.
This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application specific implemented Tauri commands.
Patches
This issue has been patched in the latest release and was backported to all previous
1.x
releases.Workarounds
Prevent arbitrary input in redirect features. Only allow trusted websites access to the IPC.
References
The feature to enable this behavior in a more constrained way was introduced in the
1.3
release and documentation around this can be found in the documentation.CVE-2024-35222
Impact
Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the
dangerousRemoteDomainIpcAccess
in v1 and in thecapabilities
in v2.This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window.
For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application.
Patches
The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems.
This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same.
We have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via
window.ipc.postMessage
).This introduces an invoke key (
__TAURI_INVOKE_KEY__
) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC.This key is not used to protect against compromised Tauri windows or WebViews and is only intended to block IPC access from sub-frames.
Unauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the potentially malicious IPC call will be ignored.
Workarounds
These workarounds should only be considered if you are unable to upgrade to the patched Tauri version in time.
As a workaround for v1 Tauri applications, we recommend using a dedicated window for untrusted origins instead of iFrames, or disabling script execution within the iFrame.
For v2 Tauri applications targeting Linux, it is possible to use either a dedicated window or multiple WebViews in the main window to simulate iFrame behavior.
On other platforms, it is only possible to use dedicated windows or disable script execution inside the iFrame, as described for v1.
References
If you have any questions or comments about this advisory:
Open an issue in tauri or
Email us at security@tauri.app
The original submissions from the reporter:
Release Notes
tauri-apps/tauri (tauri)
v1.6.7
: tauri v1.6.7Compare Source
Updating crates.io index
Cargo Audit
[1.6.7]
Bug Fixes
50aabad1f
(#9818) On Windows, fix flashing PowerShell for updates for NSIS installer, and address possible "permission denied" problems.Security fixes
f6d81dfe0
Only process IPC commands from the main frame.Dependencies
tauri-runtime-wry@0.14.8
Cargo Publish
v1.6.6
: tauri v1.6.6Compare Source
Updating crates.io index
Cargo Audit
[1.6.6]
Bug Fixes
704260bb3
(#9784) Fix dialog crash on macOS when thedefault_path
value is empty.3b69c1384
(#9792) Revert #9706 which broke compatability betweentauri
crate and the JS@tauri-apps/api
npm package in a patch release where it should've been in a minor release.Cargo Publish
v1.6.5
: tauri v1.6.5Compare Source
Updating crates.io index
Cargo Audit
[1.6.5]
Bug Fixes
ef35a793c
(#9729) Fix compilation error whenshell-execute
orshell-sidecar
features are not activeCargo Publish
v1.6.4
: tauri v1.6.4Compare Source
Updating crates.io index
Cargo Audit
[1.6.4]
Enhancements
7f885bd5e
(#9706) Enhance the speed of The JSCommand.execute
API fromshell
module.Dependencies
tauri-runtime-wry@0.14.7
Cargo Publish
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
Footnotes
https://en.wikipedia.org/wiki/Open_redirect ↩