Security: Webview signing oracle + CSP disabled (Tauri core) #76

Closed
opened 2026-07-08 02:40:28 +00:00 by icub3d · 0 comments
Owner

Severity: Critical — found in code review 2026-07-07 (Tauri core).

Problem

Two issues compound in the desktop client's key handling:

  1. CSP disabledclient/src-tauri/tauri.conf.json:24 sets "csp": null. Any XSS/injected script in the webview runs with full access to every exposed IPC command.
  2. Signing oraclesign(data) (client/src-tauri/src/identity.rs:283) signs any JS-supplied string with the active private key, with no domain separation and no user confirmation. A compromised webview can forge auth challenges, messages, or any protocol artifact attributable to the user.
  3. Unchecked key exportkey_export (identity.rs:370) writes the encrypted seed to a JS-chosen path under a JS-chosen passphrase that is never strength-checked (validate_passphrase is not called; it also marks weak/empty passphrases acceptable).

Keys never leave the Rust process, but the signing oracle + export path are just as damaging for impersonation/exfiltration. CSP-off is the amplifier.

Fix

  • Set a strict CSP (e.g. default-src 'self'; script-src 'self'; connect-src 'self' <server>; img-src 'self' data:).
  • Add domain-separation tags to signed payloads (decentcom-auth: vs decentcom-msg:) chosen by the command, not the caller; require native confirmation for high-value signs.
  • Enforce validate_passphrase(...).acceptable inside inner_key_export; raise the floor above "Weak"; source the destination path from a native save dialog rather than a raw JS path.
**Severity: Critical** — found in code review 2026-07-07 (Tauri core). ## Problem Two issues compound in the desktop client's key handling: 1. **CSP disabled** — `client/src-tauri/tauri.conf.json:24` sets `"csp": null`. Any XSS/injected script in the webview runs with full access to every exposed IPC command. 2. **Signing oracle** — `sign(data)` (`client/src-tauri/src/identity.rs:283`) signs *any* JS-supplied string with the active private key, with no domain separation and no user confirmation. A compromised webview can forge auth challenges, messages, or any protocol artifact attributable to the user. 3. **Unchecked key export** — `key_export` (`identity.rs:370`) writes the encrypted seed to a JS-chosen path under a JS-chosen passphrase that is never strength-checked (`validate_passphrase` is not called; it also marks weak/empty passphrases `acceptable`). Keys never leave the Rust process, but the signing oracle + export path are just as damaging for impersonation/exfiltration. CSP-off is the amplifier. ## Fix - [ ] Set a strict CSP (e.g. `default-src 'self'; script-src 'self'; connect-src 'self' <server>; img-src 'self' data:`). - [ ] Add domain-separation tags to signed payloads (`decentcom-auth:` vs `decentcom-msg:`) chosen by the command, not the caller; require native confirmation for high-value signs. - [ ] Enforce `validate_passphrase(...).acceptable` inside `inner_key_export`; raise the floor above "Weak"; source the destination path from a native save dialog rather than a raw JS path.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
icub3d/decentcom#76
No description provided.