General
1.
Cover
2.
Intro
3.
Adversary Types
4.
Scope
Management
5.
Management Summary
5.1.
Timeline
5.2.
Auditors
5.3.
Findings Overview
5.4.
Future Topics
Engineering
6.
Engineering Summary
7.
Vulnerability
7.1.
Multiple Cross Site Scripting Vulnerabilities
7.2.
Improper Sanitization of Tauri Command Arguments
8.
Weakness
8.1.
Improper Github Workflow Trigger Validation
8.2.
Improper Allowlist Configuration
8.3.
Dependencies Telemetry Data is not Disabled
8.4.
Improper Tauri Security Configuration
8.5.
Vulnerable NPM Dependencies
8.6.
Vulnerable Cargo crates
9.
Investigated
9.1.
Proper Github Workflow Security
Appendix
10.
Overview
11.
Tools
12.
Adversary Types
12.1.
Compromising
12.2.
Input Control
12.3.
Social Engineering
Light
Rust
Coal
Navy
Ayu
Bloop.ai Tauri Component Audit
Adversary Types
The following adversary types are explained more in detail in their respective sections.
Input Control Adversary
Cross Site Scripting
Remote source compromise
Logical Bug
Compromising Adversary
Developer Machines
Deployment Infrastructure
User Filesystem
User Applications
Network (Man-in-the-Middle)
Social Engineering Adversary
