General
1.
Cover
2.
Intro
3.
Adversary Types
4.
Scope
Management
5.
Management Summary
5.1.
Timeline
5.2.
Auditors
5.3.
Findings Overview
5.4.
Future Topics
Engineering
6.
Engineering Summary
7.
Vulnerability
7.1.
Multiple Cross Site Scripting Vulnerabilities
7.2.
Improper Sanitization of Tauri Command Arguments
8.
Weakness
8.1.
Improper Github Workflow Trigger Validation
8.2.
Improper Allowlist Configuration
8.3.
Dependencies Telemetry Data is not Disabled
8.4.
Improper Tauri Security Configuration
8.5.
Vulnerable NPM Dependencies
8.6.
Vulnerable Cargo crates
9.
Investigated
9.1.
Proper Github Workflow Security
Appendix
10.
Overview
11.
Tools
12.
Adversary Types
12.1.
Compromising
12.2.
Input Control
12.3.
Social Engineering
Light
Rust
Coal
Navy
Ayu
Bloop.ai Tauri Component Audit
Tools
We facilitated the following tools, repositories and resources during the audit:
Visual Studio Code LiveShare
Tauri Configuration Documentation
React Documentation
