宣布 Tauri 1.3.0

May 3, 2023

Lucas Nogueira

Tauri Co-Founder

Tillmann Weidinger

Tauri Security

Tauri 1.3 Launch Hero Image

Tauri 团队很高兴地宣布 1.3 版本的发布。此版本包括安全性改进、新功能以及重要的错误修复。

🌐 The Tauri team is excited to announce the 1.3 release. This version includes security improvements, new features and important bug fixes.

升级

🌐 Upgrading

确保将 NPM 和 Cargo 的依赖都更新到 1.3.0 版本。你可以使用以下命令更新依赖：

🌐 Make sure to update both NPM and Cargo dependencies to the 1.3.0 release. You can update the dependencies with:

npm install @tauri-apps/cli@latest @tauri-apps/api@latest

yarn upgrade @tauri-apps/cli @tauri-apps/api --latest

pnpm update @tauri-apps/cli @tauri-apps/api --latest

cargo update

1.3.0 有什么更新

🌐 What’s in 1.3.0

NSIS

Tauri CLI 现在可以使用 NSIS 创建 Windows 应用安装程序。这个新的打包目标在 macOS 和 Linux 上也作为实验性功能提供，因此你可以交叉编译 Windows 安装程序。关于后者的文档将很快发布。

🌐 The Tauri CLI can now create Windows application installers using NSIS. This new bundle target is also available on macOS and Linux as an experimental feature, so you can cross-compile your Windows installer. Documentation on the latter will be published soon.

Tauri 1.3 审计

🌐 Tauri 1.3 Audit

内部审计由 @tweidinger 和 @chippers 执行，他们参与了 Tauri 项目的大多数安全相关事务。审计在 CrabNebula 的带薪工作时间内进行，我们很感激能够在工作时间中贡献部分时间到开源项目，并使其成为更安全的环境 :heart:。

🌐 The internal audit was performed by @tweidinger and @chippers, who are involved in most security topics at the Tauri project. It was performed during paid time at CrabNebula and we are grateful to be able to spend parts of our work time contributing to the open source project and making it a more secure environment :heart:.

我们手动审核了超过45个PR。一些PR（例如#5544）让我们深入研究了非常老的RFC（RFC6068和RFC3966）、[NSIS文档]（例如#6039）以及许多其他外部资源。我们将问题、注意和发现记录在Markdown文件中，并与相关开发者分享这些注意，以确保适当的修复。

🌐 We manually audited over 45 PRs. Some PRs (e.g. #5544) lead us to diving into very old RFCs (RFC6068 and RFC3966), NSIS documentation (e.g. #6039) and many other external resources. We documented questions, notes and findings in markdown files and shared these notes with the responsible developers to ensure appropriate fixes.

从安全角度的变化以及审计发现总结如下小节。

🌐 The changes from a security perspective and findings of the audit are summarized in the following sub-sections.

外部 API 访问 #5918

🌐 External API Access #5918

这是我们调查过的影响最大、耗时最长的 PR。这个 PR 引入了一种简化的方法，使应用可以允许外部域访问 Tauri IPC 层¹，其使用主要影响 Tauri 应用的安全模型。安全影响²取决于功能的暴露³、启用的 Tauri 命令以及对手的能力⁴。

🌐 This was by far the most impactful and time consuming PR we investigated. This PR introduces a streamlined way for applications to allow external domains access to the Tauri IPC layer¹ and usage majorly impacts the security model of a Tauri application. Security impact² depends on exposure³ of the feature, enabled Tauri commands and the capabilities of an adversary⁴.

我们认为这个新功能类似于驾驶一辆没有启用任何安全功能的高速赛车，并且强烈建议开发者_非常非常小心_地考虑他们是否真的需要这种暴露。

🌐 We consider this new feature similar to driving a very fast race car without any safety features enabled and urge developers to very very carefully consider if they really need this exposure.

在这个新增合并之前，一个半已知的漏洞曾被应用开发者（滥用）用来实现相同的功能。为了让整个社区意识到这一风险，我们发布了一则安全公告以提前提醒。若应用允许用户导航到任意域名或者存在开放重定向漏洞⁵，则会受到影响。如果你实现了这样的功能，应尽快升级到 1.3 版本。

🌐 Before this addition was merged, a semi-known vulnerability was (ab)used by application developers to achieve the same functionality. To make the whole community aware of this risk we published a security advisory to give a heads up. Applications are affected if they allow users to navigate to arbitrary domains or have an open redirect vulnerability⁵. If you implement such a feature you should update to the 1.3 release as fast as possible.

最初的 PR 改动允许使用通配符（https://*）和全局模式，我们认为这是有帮助的，但不应该向所有 Tauri 开发者开放。我们得出的结论是，过度开放的风险，例如启用所有 Tauri API 端点的允许列表开关，并不值得这种宽松的开放。最终的实现允许配置指定的 (子)域⁶（例如：example.com）以获得对 Tauri IPC 的远程访问。

🌐 The initial PR changes allowed wildcards (https://*) and glob patterns, which we believe are helpful but shouldn’t be exposed to all Tauri developers. We concluded that the risk of over-exposure, like the allow list toggle to enable all Tauri API endpoints, does not justify this permissive exposure. The final implementation allows to configure specified (sub)domains⁶ (eg: example.com) to gain remote access to the Tauri IPC.

一些边缘使用场景，需要通配符甚至更进一步的暴露，可以通过自定义的 Rust 代码来实现，该代码能够动态修改 IPC 访问。我们现在以类似于 fs 或 http 范围的方式公开这个远程 IPC 范围。

🌐 The few edge use cases, which require wildcards or even further exposure can be implemented by custom Rust code which is able to dynamically modify the IPC access. We now expose this remote IPC scope in a similar fashion as the fs or http scope.

假设在 https://trusted.example 上有一个完全可信的 Web 服务，现在可以配置安全范围，允许某些窗口甚至插件访问自定义实现的命令，并可选择访问内置的 Tauri API：

🌐 Assuming a fully trusted web service on https://trusted.example it is now possible to configure the security scope to allow certain windows or even plugins access to custom implemented commands and optionally the inbuilt Tauri API:

"security": {
  "dangerousRemoteUrlIpcAccess": [
    {
      "windows": ["main", "settings"],
      "domain": "trusted.example",
      "plugins": ["trusted-plugin"],
      "enableTauriAPI": false
    },
  ],
}

共享域 绝对不可以 在任何情况下用于此目的。我们不会限制对路径或特定文件的访问。你只能使用 受信任的 (子)域⁶ 进行范围控制。另一个非常危险的问题是，开发者必须确保域名所有权在应用生命周期内不会发生变化。域名接管可能导致用户设备被攻破。

🌐 Shared domains MUST NOT be used for this in any circumstances. We do not limit access to paths or specific files. You can only scope with trusted (sub)domains⁶. Another very risky catch is that developers must be sure that the domain ownership does not change over the lifetime of the application. Domain takeover could lead to compromised user devices.

浏览器参数 #5799

🌐 Browser Arguments #5799

由于某些 WebView 功能未启用或无法访问，社区贡献引入了在 WebView 进程中添加额外参数的可能性，该进程会在新窗口中创建。

🌐 Due to certain webview features not enabled nor being accessible, a community contribution introduced the possibility to add additional arguments to the webview process, which is created in a new window.

此功能通过 window 端点暴露给了前端。我们发现这种暴露风险很高，因为大多数 webview 都具有非常重要的功能和标志，这些功能和标志可以通过进程参数来允许。

🌐 This feature was exposed to the frontend in the window endpoint. We found that this exposure was highly risky, as most webviews have very impactful features and flags that can be allowed via the process arguments.

以下所有威胁模型假设都基于 Tauri 窗口创建被允许在 tauri.conf 的 allowlist 中，因此暴露给前端。此 PR 仅影响 Windows，因此对其他受支持的操作系统没有影响。

🌐 All of the following threat model assumptions are based on the Tauri window creation being allowed in the allowlist of the tauri.conf and therefore exposed to the frontend. This PR affects Windows only, therefore there is no impact on the other supported operating systems.

具有创建窗口并向 webview 传递命令行参数能力的对手，可以提升他们的权限以逃脱 Tauri 和 webview 的严格沙箱环境。

🌐 An adversary with the capabilities to create windows and pass command line arguments to the webview can elevate their privileges to escape the strict sandboxing of Tauri and the webview.

这些标志允许启用多个危险的 WebView 功能，从加载当前默认配置文件文件夹之外的配置文件（从设备中窃取浏览器会话）到禁用 WebView 的安全措施（例如：证书验证、沙箱、WebDriver/无头模式、设备管理端点等）。

🌐 The flags allow to enable several dangerous webview features, from loading profiles outside of the current default profile folder (stealing browser sessions from the device) to disabling security measurements of the webview (eg: certificate validation, sandboxing, webdriver/headless mode, device management endpoints, …).

我们在 https://peter.sh/experiments/chromium-command-line-switches/ 找到了一份古老但极具价值且仍然独特的文档参考，这帮助我们了解了 Windows 上可能的风险，因为 Webview2 使用了相同的标志。

🌐 We found an old but gold and still unique documentation reference at https://peter.sh/experiments/chromium-command-line-switches/, which helped us understand possible risks on Windows, as the Webview2 uses the same flags.

该功能随后被更改为仅在 Rust 端暴露。Tauri 应用开发者可以使用它来实现自定义命令，以带有特定用途的参数调用 webview 窗口。

🌐 The feature was then changed to be only exposed on the rust side. Tauri application developers can use this to implement custom commands to invoke webview windows with use case specific arguments.

可能的 ZipSlip #4674

🌐 Possible ZipSlip #4674

我们发现，用于提取远程打包器文件（如 Webview2 安装程序）的组件，是通过 extract_zip 函数手动提取单个文件的，而该函数使用 ZipFile::name() 而不是文档中推荐的 ZipFile::enclosed_name()。文件名类似 ../../../../foo.sh 的文件可能会被提取到文件系统的预期目录之外。这种类型的漏洞被称为 ZipSlip。

🌐 We found that the components to extract remote bundler files like the Webview2 installer were manually extracting single files with the extract_zip function, which uses ZipFile::name() instead of ZipFile::enclosed_name() as recommended in the documentation. Files which had names like ../../../../foo.sh could be extracted outside of the intended directory on the filesystem. This kind of vulnerability is called ZipSlip.

由于该函数仅在已验证和受信任的文件上使用，因此影响几乎为零。尽管如此，我们仍然更改了实现以便进行正确的提取方法。

🌐 As the function was only used on verified and trusted files the impact here was nearly zero. Regardless we changed the implementation to facilitate the proper extraction method.

打包器加固 #6039

🌐 Bundler Hardening #6039

打包工具没有对传递给 handlebars::Handlebars::render() 的内容进行转义，这可能在打包工具阶段导致不必要的代码执行。这也是一个低影响的问题，但已被迅速修复。

🌐 The bundler was not escaping content passed to the handlebars::Handlebars::render(), which could cause unwanted code execution during the bundler phase. This was also a low impact issue but was promptly fixed.

其他变化

🌐 Other changes

新

🌐 New

创建窗口时的 additional_browser_args 选项 #5799
添加 is_minimized() 窗口方法。 #5618
在窗口上添加 title 获取器。 #5515
内容保护 API #5513
添加了 Builder::device_event_filter 和 App::set_device_event_filter 方法。 #5562
在 Windows 上添加 WindowsAttributes::app_manifest 来指定应用清单。 #5730
添加对 Cargo 工作区继承的支持。＃5775 ＃6144
添加了窗口的 url() 获取器。 #5914
添加了 Window::on_navigation。＃5686
允许设置对话框按钮的文本。#4383
在 Windows 和 macOS 上实现 SystemTray::with_tooltip 和 SystemTrayHandle::set_tooltip。＃5938
为 tauri.bundle.macOS.frameworks 添加 dylib 支持。 #5732

增强功能

🌐 Enhancements

在 Windows 上，msi 安装程序的 Launch App 复选框将默认勾选。#5871
为 icon 命令添加 --png 选项以生成自定义图标大小。 #5246
在 Windows 上，根据窗口主题更改 WebView 主题，以获得更准确的 prefers-color-scheme 支持。 #5874
从 Cargo.toml 模板中移除默认功能。 #6074
向 WindowBuilder 结构体添加一个方法，以便从 tauri.conf.json 配置重新创建窗口。#6073
当无法找到 rustc 时，改进错误信息。＃6021
为 .msi 包目标添加了对预发布标识符和构建编号的支持。每种只能使用一个，并且必须仅为数字。版本仍然必须符合 https://semver.org/ 的语义化版本兼容性。 #6096
在 signer generate 命令上添加 --ci 标志并尊重 CI 环境变量。在这种情况下，默认密码将是空字符串，CLI 将不会提示输入值。#6097
当 TAURI_KEY_PASSWORD 环境变量为空且提供了 --ci 参数或设置了 CI 环境变量时，跳过构建命令的密码提示。d4f89af18d69fd95a4d8a1ede8442547c6a6d0ee

修复

🌐 Fixes

修复在解析新创建项目中没有 Cargo.lock 文件的 crates 版本时 tauri info 崩溃的问题。#5873
修复在其 productName 中使用 Unicode 字符的应用构建问题。 #5872
在所有窗口中同步 __TAURI_METADATA__.__windows。 #5615
修复在顶端调整大小区域双击自定义标题栏时的调整大小故障。#5966
在 Linux 上禁用光标鼠标事件。#6025
修复在 invoke 中使用时 js Map 的序列化问题。#6099

Inter-Process Communication, in this instance the communication between the Tauri core and the frontend code run inside the webview. ↩ ↩²
Security Impact: What is the theoretical biggest impact of this threat combination? This highly depends on correct scoping of Tauri API endpoints and hardening of custom implemented Tauri commands. ↩ ↩²
Exposure: Describes the exposed scope items of this feature to either an user or adversary. It is possible to restrict exposure to only certain domains, windows or only to custom implemented commands. ↩ ↩²
Adversary Capabilities: Which kind of privileges has the adversary? Can range from tricking user into entering malicious input to code execution in the frontend via cross-site-scripting (which is the highest privilege for frontend code in our case). Common capabilities are described in the OWASP documentation. ↩ ↩²
An application can be exploited if it parses user input for making an URL redirection decision, which is then not properly validated. Wikipedia Source ↩ ↩²
see the Reqwest reference ↩ ↩² ↩³ ↩⁴