Back to Details

understanding-tauri-ecosystem-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Understanding Tauri Ecosystem Security

了解Tauri生态系统安全

This skill covers Tauri's organizational security practices, dependency management, vulnerability reporting, and comprehensive security auditing approaches.
本内容涵盖Tauri的组织安全实践、依赖管理、漏洞上报以及全面的安全审计方法。

Tauri Security Philosophy

Tauri安全理念

Tauri operates on a principle of defense-in-depth with human-in-the-loop oversight. The framework acknowledges that "the weakest link in your application lifecycle essentially defines your security" and provides mechanisms to address threats at every stage.
Tauri遵循“纵深防御+人工监督”的原则。该框架认为“应用生命周期中最薄弱的环节本质上决定了你的安全水平”,并提供了在每个阶段应对威胁的机制。

Trust Boundaries

信任边界

Tauri distinguishes between:
  • Rust backend code: Trusted, with full system access
  • Frontend code: Untrusted, runs in the system WebView
  • IPC layer: The communication bridge enforcing security boundaries
Frontend code accesses system resources exclusively through the IPC layer, with permissions restricted by capabilities defined in application configuration.
Tauri区分以下三类环境:
  • Rust后端代码:受信任,拥有完整系统访问权限
  • 前端代码:不受信任,在系统WebView中运行
  • IPC层:强制执行安全边界的通信桥梁
前端代码只能通过IPC层访问系统资源,权限由应用配置中定义的能力(capabilities)限制。

Organizational Security Practices

组织安全实践

Build Pipeline Security

构建流水线安全

The Tauri organization uses highly automated GitHub Actions workflows with mandatory human review and approval before deployment.
Key practices:
  • Signed commits: Core repositories enforce signed commits to mitigate impersonation risks
  • Code review: Every pull request requires approval from at least one maintainer
  • Security workflows: Default security checks run on all code changes
Tauri组织使用高度自动化的GitHub Actions工作流,部署前必须经过人工审核与批准。
核心实践:
  • 签名提交:核心仓库强制要求签名提交,以降低身份冒充风险
  • 代码评审:每个拉取请求(PR)至少需要一位维护者批准
  • 安全工作流:所有代码变更都会运行默认安全检查

Release Procedures

发布流程

The working group manages releases through:
  1. Review code modifications and categorize PRs by scope
  2. Maintain current dependencies
  3. Conduct internal security audits for security-related PRs before minor and major releases
  4. Tag releases on the development branch, triggering:
    • Core functionality validation
    • Test execution
    • Security audits of dependencies
    • Changelog generation
    • Artifact creation
  5. Review and edit release notes before publication
工作组通过以下步骤管理发布:
  1. 评审代码修改,按范围对PR进行分类
  2. 维护当前依赖
  3. 在次要版本和主要版本发布前,对安全相关PR进行内部安全审计
  4. 在开发分支上标记发布版本,触发以下流程:
    • 核心功能验证
    • 测试执行
    • 依赖安全审计
    • 更新日志生成
    • 制品创建
  5. 发布前评审并编辑发布说明

Dependency Security

依赖安全

Auditing Dependencies

审计依赖

Use automated tools to identify vulnerable packages:
bash
undefined
使用自动化工具识别存在漏洞的包:
bash
undefined

Rust dependencies

Rust dependencies

cargo audit
cargo audit

Node.js dependencies

Node.js dependencies

npm audit
undefined
npm audit
undefined

Advanced Supply Chain Tools

高级供应链工具

Consider emerging tools for deeper supply chain analysis:
bash
undefined
考虑使用新兴工具进行更深入的供应链分析:
bash
undefined

Verify dependencies against trusted sources

验证依赖是否来自可信源

cargo vet
cargo vet

Community-driven code reviews

社区驱动的代码评审

cargo crev
undefined
cargo crev
undefined

Dependency Pinning

依赖固定

For critical dependencies, pin to specific git hash revisions rather than floating versions:
toml
undefined
对于关键依赖,固定到特定的Git哈希版本,而非浮动版本:
toml
undefined

Cargo.toml - pinned dependency

Cargo.toml - pinned dependency

[dependencies] critical-lib = { git = "https://github.com/org/repo", rev = "abc123def456" }
undefined
[dependencies] critical-lib = { git = "https://github.com/org/repo", rev = "abc123def456" }
undefined

Keeping Dependencies Updated

保持依赖更新

Regularly update Tauri, compilers, and related tooling:
bash
undefined
定期更新Tauri、编译器及相关工具:
bash
undefined

Update Rust toolchain

更新Rust工具链

rustup update
rustup update

Update Tauri CLI

更新Tauri CLI

cargo install tauri-cli --locked
cargo install tauri-cli --locked

Check for outdated dependencies

检查过时依赖

cargo outdated
undefined
cargo outdated
undefined

Application Lifecycle Security

应用生命周期安全

Upstream Threats

上游威胁

Evaluate third-party libraries for:
  • Trustworthiness of maintainers
  • Maintenance status and update frequency
  • Known vulnerabilities
  • Code quality and review practices
评估第三方库时需关注:
  • 维护者的可信度
  • 维护状态与更新频率
  • 已知漏洞
  • 代码质量与评审实践

Development Threats

开发阶段威胁

Development server risks:
The default development server lacks encryption and authentication, exposing frontend assets to local networks. Only develop on trusted networks or implement mutual TLS (mTLS) for untrusted environments.
Machine hardening practices:
  • Avoid administrative accounts for daily coding
  • Never store production secrets on development machines
  • Prevent secrets from entering version control
  • Use hardware security tokens
  • Maintain minimal installed applications
  • Keep systems fully patched
Source control security:
  • Implement proper access controls for repositories
  • Require commit signing from all contributors
开发服务器风险:
默认开发服务器缺乏加密与认证机制,会将前端资产暴露到本地网络。仅在可信网络中开发,或在不可信环境中实现双向TLS(mTLS)。
机器加固实践:
  • 日常编码避免使用管理员账户
  • 切勿在开发机器上存储生产环境密钥
  • 防止密钥进入版本控制
  • 使用硬件安全令牌
  • 仅安装必要的应用程序
  • 保持系统完全打补丁
源代码控制安全:
  • 为仓库实施适当的访问控制
  • 要求所有贡献者进行提交签名

Buildtime Threats

构建阶段威胁

CI/CD infrastructure:
Use reputable providers or host systems on controlled hardware. Pin action versions explicitly in workflows:
yaml
undefined
CI/CD基础设施:
使用知名服务商,或在受控硬件上托管系统。在工作流中明确固定Action版本:
yaml
undefined

Good - pinned to specific version

推荐 - 固定到特定版本

  • uses: actions/checkout@v4.1.1
  • uses: actions/checkout@v4.1.1

Bad - floating tag

不推荐 - 浮动标签

  • uses: actions/checkout@latest

**Reproducible builds:**

Current challenge: Rust and many frontend bundlers do not reliably produce reproducible builds by default. Maintain high trust in CI/CD systems until reproducibility tooling improves.
  • uses: actions/checkout@latest

**可复现构建:**

当前挑战:Rust和许多前端打包工具默认无法可靠生成可复现构建。在可复现性工具改进前,需高度信任CI/CD系统。

Distribution Threats

分发阶段威胁

Control over manifest servers, build systems, and binary hosting is essential. Consider trusted third-party solutions for binary distribution.
必须控制清单服务器、构建系统与二进制文件托管。可考虑使用可信第三方解决方案进行二进制分发。

Runtime Threats

运行时威胁

Tauri assumes webview insecurity and implements protections via:
  • Content Security Policy (CSP)
  • Capabilities system
  • Runtime authority validation
Tauri假设WebView不安全,并通过以下机制实现保护:
  • 内容安全策略(CSP)
  • 能力系统
  • 运行时权限验证

Content Security Policy

内容安全策略

CSP mitigates cross-site scripting (XSS) attacks. Tauri automatically handles cryptographic protections for bundled assets.
CSP可缓解跨站脚本(XSS)攻击。Tauri会自动为打包资产处理加密保护。

CSP Configuration

CSP配置

json
{
  "app": {
    "security": {
      "csp": {
        "default-src": "'self' customprotocol: asset:",
        "connect-src": "ipc: http://ipc.localhost",
        "font-src": ["https://fonts.gstatic.com"],
        "img-src": "'self' asset: http://asset.localhost blob: data:",
        "style-src": "'unsafe-inline' 'self' https://fonts.googleapis.com"
      }
    }
  }
}
json
{
  "app": {
    "security": {
      "csp": {
        "default-src": "'self' customprotocol: asset:",
        "connect-src": "ipc: http://ipc.localhost",
        "font-src": ["https://fonts.gstatic.com"],
        "img-src": "'self' asset: http://asset.localhost blob: data:",
        "style-src": "'unsafe-inline' 'self' https://fonts.googleapis.com"
      }
    }
  }
}

CSP Best Practices

CSP最佳实践

  • Make policies as restrictive as possible
  • Whitelist only trusted, preferably self-owned hosts
  • Avoid remote scripts from CDNs (they introduce attack vectors)
  • For WebAssembly frontends, include 
    'wasm-unsafe-eval'
    in 
    script-src
  • 策略应尽可能严格
  • 仅白名单可信、最好是自有主机
  • 避免使用CDN的远程脚本(会引入攻击向量)
  • 对于WebAssembly前端,需在
    script-src
    中包含
    'wasm-unsafe-eval'

Permissions and Capabilities

权限与能力

Permission Structure

权限结构

Permissions describe explicit privileges governing frontend command access:
toml
undefined
权限描述了管理前端命令访问的明确特权:
toml
undefined

src-tauri/permissions/my-permission.toml

src-tauri/permissions/my-permission.toml

[[permission]] identifier = "my-identifier" description = "Describes the impact and scope" commands.allow = ["read_file"]
[[scope.allow]] my-scope = "$HOME/*"
[[scope.deny]] my-scope = "$HOME/secret"
undefined
[[permission]] identifier = "my-identifier" description = "Describes the impact and scope" commands.allow = ["read_file"]
[[scope.allow]] my-scope = "$HOME/*"
[[scope.deny]] my-scope = "$HOME/secret"
undefined

Capability Configuration

能力配置

Capabilities grant permissions to specific windows or webviews:
json
{
  "identifier": "main-window-capability",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "core:default",
    "fs:read-files",
    "fs:scope-home"
  ]
}
能力为特定窗口或WebView授予权限:
json
{
  "identifier": "main-window-capability",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "core:default",
    "fs:read-files",
    "fs:scope-home"
  ]
}

Security Boundaries

安全边界

Capabilities protect against:
  • Frontend compromise impact minimization
  • Accidental system data exposure
  • Privilege escalation from frontend to backend
Capabilities do NOT protect against:
  • Malicious Rust code
  • Overly permissive scopes
  • WebView zero-day vulnerabilities
  • Supply chain attacks
能力可防范:
  • 前端被攻陷后的影响最小化
  • 意外的系统数据暴露
  • 从前端到后端的权限提升
能力无法防范:
  • 恶意Rust代码
  • 过于宽松的范围
  • WebView零日漏洞
  • 供应链攻击

Command Scopes

命令范围

Scopes provide granular control with allow and deny rules (deny always supersedes allow):
toml
undefined
范围通过允许和拒绝规则提供细粒度控制(拒绝规则始终优先于允许规则):
toml
undefined

Allow recursive directory access

允许递归目录访问

[[scope.allow]] path = "$APPLOCALDATA/**"
[[scope.allow]] path = "$APPLOCALDATA/**"

Deny sensitive folders

拒绝敏感文件夹

[[scope.deny]] path = "$APPLOCALDATA/EBWebView"

Command developers must ensure no scope bypasses are possible through careful validation.
[[scope.deny]] path = "$APPLOCALDATA/EBWebView"

命令开发者必须通过仔细验证确保不存在范围绕过的可能。

Runtime Authority

运行时权限

The runtime authority manages security enforcement at runtime:
  1. Intercepts IPC requests from webview
  2. Validates origin authorization
  3. Confirms capability inclusion
  4. Applies command-specific scopes
  5. Permits or denies execution
This multi-layer validation creates defense-in-depth against privilege escalation.
运行时权限管理器在运行时执行安全强制:
  1. 拦截来自WebView的IPC请求
  2. 验证来源授权
  3. 确认是否包含相应能力
  4. 应用命令特定的范围
  5. 允许或拒绝执行
这种多层验证形成了针对权限提升的纵深防御。

Vulnerability Reporting

漏洞上报

How to Report

上报方式

Report vulnerabilities privately through:
  • Preferred: GitHub Private Vulnerability Disclosure feature
  • Alternative: Email to security@tauri.app
通过以下私密渠道上报漏洞:
  • 首选:GitHub私有漏洞披露功能
  • 备选:发送邮件至security@tauri.app

What NOT to Do

禁止行为

Do not disclose vulnerabilities via:
  • Pull requests
  • GitHub issues
  • Discord
  • Forum posts
请勿通过以下渠道披露漏洞:
  • 拉取请求
  • GitHub议题
  • Discord
  • 论坛帖子

Disclosure Process

披露流程

The Tauri team commits to:
  • Triaging reports promptly
  • Maintaining confidentiality during investigation
  • Following 90-day standard for coordinated public disclosure
  • Offering optional public attribution
Tauri团队承诺:
  • 及时评审上报内容
  • 调查期间保持机密性
  • 遵循90天的协同公开披露标准
  • 提供可选的公开署名

Supported Versions

支持的版本

Only Tauri versions greater than 1.0 receive security support. Earlier versions receive no security updates.
仅版本大于1.0的Tauri会获得安全支持。更早的版本不会收到安全更新。

Security Audit Checklist

安全审计清单

Pre-Release Audit

发布前审计

markdown
undefined
markdown
undefined

Dependency Audit

依赖审计

  • Run 
    cargo audit
    - no critical vulnerabilities
  • Run 
    npm audit
    - no critical vulnerabilities
  • Review new dependencies for trustworthiness
  • Check dependency update status
  • 运行
    cargo audit
    - 无严重漏洞
  • 运行
    npm audit
    - 无严重漏洞
  • 评审新依赖的可信度
  • 检查依赖更新状态

Configuration Audit

配置审计

  • CSP configured and restrictive
  • Capabilities follow least-privilege principle
  • Scopes properly deny sensitive paths
  • No overly permissive glob patterns
  • CSP已配置且严格
  • 能力遵循最小权限原则
  • 范围已正确拒绝敏感路径
  • 无过于宽松的通配符模式

Code Audit

代码审计

  • IPC commands validate all inputs
  • No scope bypass vulnerabilities
  • Secrets not hardcoded or logged
  • Error messages do not leak sensitive info
  • IPC命令验证所有输入
  • 无范围绕过漏洞
  • 密钥未硬编码或记录到日志
  • 错误信息未泄露敏感信息

Build Audit

构建审计

  • CI/CD actions pinned to specific versions
  • Build artifacts signed
  • Distribution channels secured
undefined
  • CI/CD Action已固定到特定版本
  • 构建制品已签名
  • 分发渠道已加固
undefined

Periodic Security Review

定期安全评审

markdown
undefined
markdown
undefined

Upstream Review

上游评审

  • Tauri updated to latest stable
  • Rust toolchain updated
  • Frontend dependencies updated
  • Known CVEs addressed
  • Tauri已更新至最新稳定版
  • Rust工具链已更新
  • 前端依赖已更新
  • 已知CVE已修复

Access Control Review

访问控制评审

  • Repository access appropriate
  • Commit signing enforced
  • CI/CD secrets rotated
  • Development machine security verified
  • 仓库访问权限设置合理
  • 已强制要求提交签名
  • CI/CD密钥已轮换
  • 开发机器安全已验证

Runtime Review

运行时评审

  • WebView security patches applied (OS updates)
  • Capability configuration still appropriate
  • No deprecated permissions in use
undefined
  • WebView安全补丁已应用(系统更新)
  • 能力配置仍合理
  • 未使用已废弃的权限
undefined

Known Security Advisory Patterns

已知安全公告模式

Based on historical advisories, watch for:
  1. iFrame bypass vulnerabilities: Origin checks may be circumvented
  2. Filesystem scope issues: Glob patterns may be overly permissive
  3. Symbolic link bypasses: File operations may follow symlinks unexpectedly
  4. Open redirect risks: External sites may access IPC
  5. Dotfile handling: Hidden files may bypass scope restrictions
基于历史公告,需关注以下情况:
  1. iFrame绕过漏洞:来源检查可能被规避
  2. 文件系统范围问题:通配符模式可能过于宽松
  3. 符号链接绕过:文件操作可能意外跟随符号链接
  4. 开放重定向风险:外部站点可能访问IPC
  5. 点文件处理:隐藏文件可能绕过范围限制

Security Resources

安全资源

Official Channels

官方渠道

Recommended Tools

推荐工具

ToolPurpose
cargo audit
Rust vulnerability scanning
npm audit
Node.js vulnerability scanning
cargo vet
Dependency verification
cargo crev
Community code reviews
cargo outdated
Dependency freshness
工具用途
cargo audit
Rust漏洞扫描
npm audit
Node.js漏洞扫描
cargo vet
依赖验证
cargo crev
社区代码评审
cargo outdated
依赖版本新鲜度检查

Summary

总结

Tauri ecosystem security requires attention across the entire application lifecycle:
  1. Upstream: Audit and pin dependencies
  2. Development: Harden machines, secure source control
  3. Build: Secure CI/CD, pin action versions
  4. Distribution: Control hosting infrastructure
  5. Runtime: Configure CSP, capabilities, and scopes
The framework provides robust security primitives, but their effectiveness depends on proper configuration and ongoing vigilance. Regular audits, prompt vulnerability patching, and following least-privilege principles are essential for maintaining secure Tauri applications.
Tauri生态系统安全需要关注整个应用生命周期:
  1. 上游:审计并固定依赖
  2. 开发:加固机器,保护源代码控制
  3. 构建:加固CI/CD,固定Action版本
  4. 分发:控制托管基础设施
  5. 运行时:配置CSP、能力与范围
该框架提供了强大的安全原语,但其有效性取决于正确的配置和持续的警惕。定期审计、及时修补漏洞以及遵循最小权限原则是维护安全Tauri应用的关键。