Finding Name Summary Recommendation

Multiple Cross Site Scripting Vulnerabilities

Due to usage of dangerouslySetInnerHTML in the client it is possible to execute arbitrary javascript in the application context. This requires a malicious README.md in one of the synced repositories.

This issue can be fixed in multiple ways, depending on the importance of HTML content being rendered.

  • Disable the HTML feature of the markdown renderer

OR

  • Sanitize the input after rendering with libraries like dompurify1

We recommend to disable the HTML input, as the sanitization process is only meant to reduce but not to erase the risk of unwanted HTML to be processed and rendered.

Improper Sanitization of Tauri Command Arguments

The custom implemented Tauri command show_folder_in_finder allows for unwanted link opening instead of files shown in the explorer, depending on the operating system.
  • Use built-in Tauri command open2 to display files
  • Validate path argument against valid file paths
2

API Reference, requires a custom regex to allow only file paths

Improper Github Workflow Trigger Validation

The build-on-pr Github workflow passes untrusted data to into a shell command, causing improper username comparison and triggering further workflow execution.

Refactor the workflow to facilitate proper github authorisation mechanisms.

Improper Allowlist Configuration

The application facilitates a permissive allow list configuration, which imports and enables unused Tauri API endpoints.

we recommend to use the following allow list:

"allowlist": {
      "dialog": {
        "open": true,
        "message": true
      },
      "os": {
        "all": true
      },
      "path": {
        "all": true
      },
      "shell": {
        "open": true
      },
    }

In general we recommend to only enable the specific features, which are used and imported in the frontend code.

Dependencies Telemetry Data is not Disabled

Application dependencies have their own telemetry system, which is not documented, disabled or controlled by the bloop application.
  • Document possible telemetry transmission from dependencies in the privacy policy
  • Disable dependency telemetry if possible
  • Investigate telemetry data from onnxruntime

Improper Tauri Security Configuration

The application is missing a Content Security policy to add a defense-in-depth layer against adversaries.
  • Enable the CSP
  • Harden the CSP as much as possible

Vulnerable NPM Dependencies

Due to outdated packages in the frontend, the application is at risk of vulnerabilities in these dependencies.
  • Ensure updated packages
  • Fix outdated vulnerable packages manually or with npm audit --fix

Vulnerable Cargo crates

Some of the Rust crates possess vulnerabilies or are unmaintained. The application is at risk through these dependencies.
  • Ensure updated packages when possible
  • Replace the tempdir crate with tempfile