Finding Overview

The following table summarizes the results of the audit:

Type	Status	Name	Summary	Severity (Score)
Vulnerability	fixed	Multiple Cross Site Scripting Vulnerabilities	Due to usage of `dangerouslySetInnerHTML` in the `client` it is possible to execute arbitrary javascript in the application context. This requires a malicious `README.md` in one of the synced repositories.	critical (9)
Vulnerability	fixed	Improper Sanitization of Tauri Command Arguments	The custom implemented Tauri command `show_folder_in_finder` allows for unwanted link opening instead of files shown in the explorer, depending on the operating system.	low (2)
Weakness	fixed	Improper Github Workflow Trigger Validation	The `build-on-pr` Github workflow passes untrusted data to into a shell command, causing improper username comparison and triggering further workflow execution.	high (8.2)
Weakness	open	Improper Allowlist Configuration	The application facilitates a permissive allow list configuration, which imports and enables unused Tauri API endpoints.	medium (6.2)
Weakness	fixed	Dependencies Telemetry Data is not Disabled	Application dependencies have their own telemetry system, which is not documented, disabled or controlled by the bloop application.	low (3.7)
Weakness	open	Improper Tauri Security Configuration	The application is missing a Content Security policy to add a defense-in-depth layer against adversaries.	low (3.1)
Weakness	fixed	Vulnerable NPM Dependencies	Due to outdated packages in the frontend, the application is at risk of vulnerabilities in these dependencies.	low (2.5)
Weakness	open	Vulnerable Cargo crates	Some of the Rust crates possess vulnerabilies or are unmaintained. The application is at risk through these dependencies.	low (2.5)

Investigated Components

The following list summarizes the code parts investigated during the audit, which did not result in a finding.

Proper Github Workflow Security