Update Rust crate tauri to v1.6.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tauri (source)	dependencies	patch	=1.6.6 -> =1.6.7

GitHub Vulnerability Alerts

CVE-2024-35222

Impact

Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2.
This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window.

For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application.

Patches

The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems.

This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same.

We have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via window.ipc.postMessage).
This introduces an invoke key (__TAURI_INVOKE_KEY__) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC.
This key is not used to protect against compromised Tauri windows or WebViews and is only intended to block IPC access from sub-frames.

Unauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the potentially malicious IPC call will be ignored.

Workarounds

These workarounds should only be considered if you are unable to upgrade to the patched Tauri version in time.

As a workaround for v1 Tauri applications, we recommend using a dedicated window for untrusted origins instead of iFrames, or disabling script execution within the iFrame.

For v2 Tauri applications targeting Linux, it is possible to use either a dedicated window or multiple WebViews in the main window to simulate iFrame behavior.
On other platforms, it is only possible to use dedicated windows or disable script execution inside the iFrame, as described for v1.

References

If you have any questions or comments about this advisory:

Open an issue in tauri or
Email us at [email protected]

The original submissions from the reporter:

Context

This is following up on the comments here: https://github.com/tauri-apps/tauri/issues/8316, and here: https://discord.com/channels/616186924390023171/1227969106091966475. I was asked to submit my findings as a vulnerability report.

Firstly, thank you to all of you from the core team that helped out and guided me through understanding this issue! Huge fan of Tauri, and I'm excited to see it succeed!

Summary

In short, any iframe you add in your Tauri frontend will get access to Tauri APIs, even in isolation mode.

Any embedded iframe that you don't own will be able to invoke the same APIs your app does. While isolation mode allows for finer grained control of what Tauri APIs can be called, it is not possible to determine if a request is coming your own app, or from a potentially malicious iframe.

This means your app could be open to malicious iframe being able to execute any command your app can, and there doesn't seem to be a mechanism to filter these out.

Details

I'm not an expert in Tauri source code, so I can't be sure I'm on the right track here, but I assume this has to do with how the webview is bootstrapped with the Tauri APIs.

I know there's various handlers that get set, such as opening target="_blank" links via a shell command, and of course setting invoke and other such APIs. Sounds like the issue is somewhere there and the APIs are being injected where they shouldn't.

Technically it seems that an attacker couldn't actually receive a response from the command it executes. Tauri IPC can't route the response back to the invoking iframe, but the action is still executed, with the response just being dropped. You see these messages in the logs:

[Warning] [TAURI] Couldn't find callback id 3399436348 in window. This happens when the app is reloaded while Rust is running an asynchronous operation.

PoC

Repository with reproduction steps: https://github.com/begleynk/tauri-sandbox-iframe-escape-poc

Building on that POC, here is a video of a Codepen iframe running inside an isolation mode Tauri app, invoking the same "Greet" command the frontend is invoking.

Export-1712922222595.mp4

This is done with the following code running inside Codepen:

window.__TAURI_INVOKE__("greet", { name: "From CodePen" })

Impact

Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app.

---

Release Notes

tauri-apps/tauri (tauri)

v1.6.7: tauri v1.6.7

Compare Source

Updating crates.io index

Cargo Audit

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 627 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (589 crate dependencies)
Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── clap 3.2.25
    └── tauri 1.6.7
        ├── tauri 1.6.7
        ├── restart 0.1.0
        └── app-updater 0.1.0

warning: 1 allowed warning found

[1.6.7]

Bug Fixes

• 50aabad1f(#​9818) On Windows, fix flashing PowerShell for updates for NSIS installer, and address possible "permission denied" problems.

Security fixes

• f6d81dfe0 Only process IPC commands from the main frame.

Dependencies

• Upgraded to [email protected]

Cargo Publish

Updating crates.io index
   Packaging tauri v1.6.7 (/home/runner/work/tauri/tauri/core/tauri)
    Updating crates.io index
   Verifying tauri v1.6.7 (/home/runner/work/tauri/tauri/core/tauri)
 Downloading crates ...
  Downloaded alloc-no-stdlib v2.0.4
  Downloaded base64 v0.21.7
  Downloaded brotli-decompressor v2.5.1
  Downloaded block-buffer v0.10.4
  Downloaded digest v0.10.7
  Downloaded generic-array v0.14.7
  Downloaded ico v0.3.0
  Downloaded tar v0.4.40
  Downloaded xattr v1.3.1
  Downloaded typenum v1.17.0
  Downloaded tokio-macros v2.2.0
  Downloaded tauri-macros v1.4.4
  Downloaded brotli v3.5.0
  Downloaded tauri-codegen v1.4.3
  Downloaded alloc-stdlib v0.2.2
  Downloaded state v0.5.3
  Downloaded signal-hook-registry v1.4.2
  Downloaded sha2 v0.10.8
  Downloaded serialize-to-javascript-impl v0.1.1
  Downloaded serialize-to-javascript v0.1.1
  Downloaded serde_repr v0.1.19
  Downloaded libm v0.2.8
  Downloaded ignore v0.4.22
  Downloaded globset v0.4.14
  Downloaded glob v0.3.1
  Downloaded futures-macro v0.3.30
  Downloaded dirs-sys-next v0.1.2
  Downloaded dirs-next v2.0.0
  Downloaded crypto-common v0.1.6
  Downloaded cpufeatures v0.2.12
  Downloaded tauri-runtime-wry v0.14.8
   Compiling proc-macro2 v1.0.83
   Compiling unicode-ident v1.0.12
   Compiling serde v1.0.202
   Compiling libc v0.2.155
   Compiling smallvec v1.13.2
   Compiling pkg-config v0.3.30
   Compiling hashbrown v0.14.5
   Compiling quote v1.0.36
   Compiling equivalent v1.0.1
   Compiling indexmap v2.2.6
   Compiling syn v2.0.65
   Compiling heck v0.5.0
   Compiling target-lexicon v0.12.14
   Compiling winnow v0.6.8
   Compiling version-compare v0.2.0
   Compiling cfg-if v1.0.0
   Compiling autocfg v1.3.0
   Compiling cfg-expr v0.15.8
   Compiling syn v1.0.109
   Compiling version_check v0.9.4
   Compiling siphasher v0.3.11
   Compiling ppv-lite86 v0.2.17
   Compiling once_cell v1.19.0
   Compiling getrandom v0.2.15
   Compiling bitflags v1.3.2
   Compiling thiserror v1.0.61
   Compiling getrandom v0.1.16
   Compiling rand_core v0.6.4
   Compiling proc-macro-error-attr v1.0.4
   Compiling rand_chacha v0.3.1
   Compiling proc-macro-error v1.0.4
   Compiling slab v0.4.9
   Compiling anyhow v1.0.86
   Compiling winnow v0.5.40
   Compiling rand_core v0.5.1
   Compiling futures-core v0.3.30
   Compiling pin-project-lite v0.2.14
   Compiling rand v0.8.5
   Compiling pin-utils v0.1.0
   Compiling futures-task v0.3.30
   Compiling rand_chacha v0.2.2
   Compiling serde_derive v1.0.202
   Compiling thiserror-impl v1.0.61
   Compiling futures-macro v0.3.30
   Compiling futures-util v0.3.30
   Compiling rand_pcg v0.2.1
   Compiling phf_shared v0.10.0
   Compiling heck v0.4.1
   Compiling unicode-segmentation v1.11.0
   Compiling rand v0.7.3
   Compiling heck v0.3.3
   Compiling futures-channel v0.3.30
   Compiling phf_shared v0.8.0
   Compiling lock_api v0.4.12
   Compiling cfg-expr v0.9.1
   Compiling parking_lot_core v0.9.10
   Compiling version-compare v0.0.11
   Compiling fnv v1.0.7
   Compiling semver v1.0.23
   Compiling futures-executor v0.3.30
   Compiling phf_generator v0.8.0
   Compiling log v0.4.21
   Compiling scopeguard v1.2.0
   Compiling phf_generator v0.10.0
   Compiling proc-macro-hack v0.5.20+deprecated
   Compiling itoa v1.0.11
   Compiling parking_lot v0.12.2
   Compiling byteorder v1.5.0
   Compiling new_debug_unreachable v1.0.6
   Compiling ryu v1.0.18
   Compiling string_cache_codegen v0.5.2
   Compiling phf_codegen v0.10.0
   Compiling memchr v2.7.2
   Compiling mac v0.1.1
   Compiling ident_case v1.0.1
   Compiling tinyvec_macros v0.1.1
   Compiling strsim v0.11.1
   Compiling gio v0.15.12
   Compiling precomputed-hash v0.1.1
   Compiling phf_macros v0.8.0
   Compiling darling_core v0.20.9
   Compiling tinyvec v1.6.0
   Compiling futf v0.1.5
   Compiling markup5ever v0.11.0
   Compiling phf_codegen v0.8.0
   Compiling cssparser v0.27.2
   Compiling uuid v1.8.0
   Compiling toml_datetime v0.6.6
   Compiling serde_spanned v0.6.6
   Compiling toml_edit v0.22.13
   Compiling toml_edit v0.19.15
   Compiling toml v0.5.11
   Compiling toml v0.8.13
   Compiling system-deps v6.2.2
   Compiling proc-macro-crate v1.3.1
   Compiling system-deps v5.0.0
   Compiling utf-8 v0.7.6
   Compiling glib-macros v0.15.13
   Compiling dtoa v1.0.9
   Compiling futures-io v0.3.30
   Compiling glib-sys v0.15.10
   Compiling gobject-sys v0.15.10
   Compiling gdk-sys v0.15.1
   Compiling gio-sys v0.15.10
   Compiling atk-sys v0.15.1
   Compiling gdk-pixbuf-sys v0.15.10
   Compiling pango-sys v0.15.10
   Compiling cairo-sys-rs v0.15.1
   Compiling gtk-sys v0.15.3
   Compiling glib v0.15.12
   Compiling simd-adler32 v0.3.7
   Compiling soup2-sys v0.2.0
   Compiling dtoa-short v0.3.4
   Compiling tendril v0.4.3
   Compiling darling_macro v0.20.9
   Compiling string_cache v0.8.7
   Compiling selectors v0.22.0
   Compiling phf v0.8.0
   Compiling unicode-normalization v0.1.23
   Compiling rustc_version v0.4.0
   Compiling phf v0.10.1
   Compiling html5ever v0.26.0
   Compiling cssparser-macros v0.6.1
   Compiling phf_shared v0.11.2
   Compiling memoffset v0.9.1
   Compiling indexmap v1.9.3
   Compiling alloc-no-stdlib v2.0.4
   Compiling typenum v1.17.0
   Compiling percent-encoding v2.3.1
   Compiling unicode-bidi v0.3.15
   Compiling matches v0.1.10
   Compiling convert_case v0.4.0
   Compiling stable_deref_trait v1.2.0
   Compiling crossbeam-utils v0.8.20
   Compiling itoa v0.4.8
   Compiling nodrop v0.1.14
   Compiling adler v1.0.2
   Compiling miniz_oxide v0.7.3
   Compiling servo_arc v0.1.1
   Compiling derive_more v0.99.17
   Compiling idna v0.5.0
   Compiling form_urlencoded v1.2.1
   Compiling alloc-stdlib v0.2.2
   Compiling phf_generator v0.11.2
   Compiling field-offset v0.3.6
   Compiling darling v0.20.9
   Compiling fxhash v0.2.1
   Compiling generic-array v0.14.7
   Compiling crc32fast v1.4.2
   Compiling serde_json v1.0.117
   Compiling thin-slice v0.1.1
   Compiling hashbrown v0.12.3
   Compiling flate2 v1.0.30
   Compiling serde_with_macros v3.8.1
   Compiling phf_macros v0.11.2
   Compiling brotli-decompressor v2.5.1
   Compiling url v2.5.0
   Compiling pango v0.15.10
   Compiling cairo-rs v0.15.12
   Compiling fdeflate v0.3.4
   Compiling javascriptcore-rs-sys v0.4.0
   Compiling cfb v0.7.3
   Compiling gtk v0.15.5
   Compiling same-file v1.0.6
   Compiling walkdir v2.5.0
   Compiling gdk-pixbuf v0.15.11
   Compiling infer v0.13.0
   Compiling png v0.17.13
   Compiling gdk v0.15.4
   Compiling brotli v3.5.0
   Compiling phf v0.11.2
   Compiling serde_with v3.8.1
   Compiling kuchikiki v0.8.2
   Compiling atk v0.15.1
   Compiling webkit2gtk-sys v0.18.0
   Compiling gtk3-macros v0.15.6
   Compiling ctor v0.2.8
   Compiling x11 v2.21.0
   Compiling dunce v1.0.4
   Compiling gdkx11-sys v0.15.1
   Compiling x11-dl v2.21.0
   Compiling rustix v0.38.34
   Compiling cc v1.0.98
   Compiling bytes v1.6.0
   Compiling tao v0.16.9
   Compiling block-buffer v0.10.4
   Compiling crypto-common v0.1.6
   Compiling bitflags v2.5.0
   Compiling raw-window-handle v0.5.2
   Compiling linux-raw-sys v0.4.14
   Compiling digest v0.10.7
   Compiling json-patch v1.4.0
   Compiling http v0.2.12
   Compiling soup2 v0.2.1
   Compiling javascriptcore-rs v0.16.0
   Compiling crossbeam-channel v0.5.13
   Compiling gdkwayland-sys v0.15.3
   Compiling aho-corasick v1.1.3
   Compiling instant v0.1.13
   Compiling regex-syntax v0.8.3
   Compiling lazy_static v1.4.0
   Compiling tauri-runtime v0.14.3
   Compiling cpufeatures v0.2.12
   Compiling wry v0.24.10
   Compiling glob v0.3.1
   Compiling tauri-utils v1.5.4
   Compiling sha2 v0.10.8
   Compiling regex-automata v0.4.6
   Compiling ico v0.3.0
   Compiling crossbeam-epoch v0.9.18
   Compiling bstr v1.9.1
   Compiling tauri-runtime-wry v0.14.8
   Compiling http-range v0.1.5
   Compiling base64 v0.21.7
   Compiling globset v0.4.14
   Compiling tauri-codegen v1.4.3
   Compiling crossbeam-deque v0.8.5
   Compiling xattr v1.3.1
   Compiling serialize-to-javascript-impl v0.1.1
   Compiling tauri v1.6.7 (/home/runner/work/tauri/tauri/target/package/tauri-1.6.7)
   Compiling filetime v0.2.23
   Compiling num_cpus v1.16.0
   Compiling dirs-sys-next v0.1.2
   Compiling fastrand v2.1.0
   Compiling dirs-next v2.0.0
   Compiling tokio v1.37.0
   Compiling tempfile v3.10.1
   Compiling webkit2gtk v0.18.2
   Compiling tauri-macros v1.4.4
   Compiling tar v0.4.40
   Compiling serialize-to-javascript v0.1.1
   Compiling ignore v0.4.22
   Compiling serde_repr v0.1.19
   Compiling encoding_rs v0.8.34
   Compiling state v0.5.3
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1m 19s
    Packaged 76 files, 998.1KiB (223.2KiB compressed)
   Uploading tauri v1.6.7 (/home/runner/work/tauri/tauri/core/tauri)
    Uploaded tauri v1.6.7 to registry `crates-io`
note: waiting for `tauri v1.6.7` to be available at registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available shortly.
   Published tauri v1.6.7 at registry `crates-io`

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.