feat(security): Rust #[tauri::command] parameter-to-sink taint MVP (closes #240)#250
Merged
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
…loses #240) security --check taint previously had zero Rust coverage (ast_taint_engine.get_supported_languages() is Python/JS/TS/TSX only). Verified this session on a real Tauri workspace: genuine param->sink flows in .rs files invisible to the scanner. Scope narrowed from the original issue during design (see docs/design/0240-tauri-command-param-taint.md): full cross-language IPC correlation (tracing a TS invoke() call across the boundary to its Rust command) needs cross-language graph edges the current architecture doesn't build. But it's not needed for most of the value — every #[tauri::command] parameter is untrusted-by-construction (that IS how Tauri's IPC delivers frontend data), so the command attribute itself marks the taint source and it reduces to an intra-procedural problem. New scripts/rust_command_taint.py: regex-based (documented trade-off vs full AST — possible false positives on sanitized params, no sanitizer allowlist in v1, every param->sink flow reported for review). Detects a tauri command parameter reaching Command::new / std::process::Command / std::fs path ops within the brace-matched function body. Routing in taint.py: --language rust runs only this scanner; default (no --language) merges its findings into the Python/JS taint output; --language python/js/ts is unaffected. Verified all three paths. Verified on the real workspace: correctly flagged save_pdf's temp_path/save_path -> std::fs::copy (a real param->sink flow, has validators the MVP intentionally doesn't analyze), and correctly did NOT flag health_get_snapshot where the Command::new sinks live in separate helper functions outside the command body.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Closes #240.
Summary
First Rust taint coverage in
security --check taint. Scope narrowed from the original issue during design (seedocs/design/0240-tauri-command-param-taint.md): full cross-language IPC correlation is out of scope, but it isn't needed for most of the value — every#[tauri::command]parameter is untrusted-by-construction, so the attribute marks the source and it becomes an intra-procedural problem.scripts/rust_command_taint.py— regex-based (documented trade-off vs full AST), detects a tauri command param reachingCommand::new/std::process::Command/std::fspath ops within the brace-matched function body.--language rustruns only this scanner; default merges its findings into the Python/JS taint output;--language python/js/tsunaffected.Test plan
pytest tests/test_rust_command_taint.py— 5/5 (param→Command::new, param→std::fs, helper-fn Command::new NOT flagged, param-never-reaches-sink NOT flagged, non-command fn NOT flagged)pytest tests/test_issue195_consolidation.py tests/test_command_registry.py— passsave_pdf's params →std::fs::copy; correctly did NOT flaghealth_get_snapshot(Command::new sinks live in separate helpers outside the command body). All 3 language-routing paths verified.