Improper Allowlist Configuration

Base Metric	score	severity
overall	6.2	medium

Type: Weakness

Status: open

Reporting Date: 2023.04.04

The application facilitates a permissive allow list configuration, which imports and enables unused Tauri API endpoints.

Description

The application has a permissive allow list configuration, which enables most of the Tauri API endpoints. Additionally, the used API features facilitate no scoping¹ features, which weakens the security model for some APIs.

We observed the following configuration:

"allowlist": {
      "fs": {
        "all": true
      },
      "window": {
        "all": true
      },
      "dialog": {
        "open": true
      },
      "http": {
        "all": true
      },
      "os": {
        "all": true
      },
      "shell": {
        "all": true
      },
      "path": {
        "all": true
      },
      "process": {
        "all": true
      }
    },

We observed the following imports:

import { open } from '@tauri-apps/api/shell';
import { homeDir } from '@tauri-apps/api/path';
import { message, open as openDialog } from '@tauri-apps/api/dialog';
import { listen } from '@tauri-apps/api/event';
import * as tauriOs from '@tauri-apps/api/os';
import { getVersion } from '@tauri-apps/api/app';

      "dialog": {
        "open": true
      },

Reference documentation for the dialog configuration can be found at https://tauri.app/v1/api/config/#dialogallowlistconfig.

In this case the message and open features are imported, but only the open feature is enabled.

Unused endpoints:

      "fs": {
        "all": true
      },
      "window": {
        "all": true
      },
      "process": {
        "all": true
      },
      "http": {
        "all": true
      }

These can be removed from the configuration. The API can still be used from the rust core but is no longer exposed to the frontend.

Endpoints missing hardening:

      "shell": {
        "all": true
      },

Reference documentation for the shell configuration can be found at https://tauri.app/v1/api/config/#shellallowlistconfig.

In this case the execute and sidecar feature are not used in the frontend and can be safely disabled. Only the open² endpoint is used, where the default regex is only allowing https:// links and considered a sane default.

fs,shell,http

https://tauri.app/v1/api/config/#shellallowlistopen

Impact

Assuming an adversary with script execution capabilities in the frontend, it is possible to execute arbitrary Tauri commands. In this instance they allow to open arbitrary windows, tricking users into entering credentials, tricking the user into allowing arbitrary files, reading files allowed by the user.

Likelihood of exploitation is currently elevated due to frontend-xss and impact is therefore high.

Recommendation

we recommend to use the following allow list:

"allowlist": {
      "dialog": {
        "open": true,
        "message": true
      },
      "os": {
        "all": true
      },
      "path": {
        "all": true
      },
      "shell": {
        "open": true
      },
    }

In general we recommend to only enable the specific features, which are used and imported in the frontend code.

Bloop.ai Tauri Component Audit

Improper Allowlist Configuration

Description

Impact

Recommendation