Skip to content

feat(security): Rust #[tauri::command] parameter-to-sink taint MVP (closes #240)#250

Merged
Wolfvin merged 1 commit into
mainfrom
feat/issue-240-rust-tauri-taint
Jul 12, 2026
Merged

feat(security): Rust #[tauri::command] parameter-to-sink taint MVP (closes #240)#250
Wolfvin merged 1 commit into
mainfrom
feat/issue-240-rust-tauri-taint

Conversation

@Wolfvin

@Wolfvin Wolfvin commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Closes #240.

Summary

First Rust taint coverage in security --check taint. Scope narrowed from the original issue during design (see docs/design/0240-tauri-command-param-taint.md): full cross-language IPC correlation is out of scope, but it isn't needed for most of the value — every #[tauri::command] parameter is untrusted-by-construction, so the attribute marks the source and it becomes an intra-procedural problem.

  • New scripts/rust_command_taint.py — regex-based (documented trade-off vs full AST), detects a tauri command param reaching Command::new / std::process::Command / std::fs path ops within the brace-matched function body.
  • --language rust runs only this scanner; default merges its findings into the Python/JS taint output; --language python/js/ts unaffected.

Test plan

  • pytest tests/test_rust_command_taint.py — 5/5 (param→Command::new, param→std::fs, helper-fn Command::new NOT flagged, param-never-reaches-sink NOT flagged, non-command fn NOT flagged)
  • pytest tests/test_issue195_consolidation.py tests/test_command_registry.py — pass
  • design-doc CI check passes (new feature file + design doc present)
  • Real workspace: correctly flagged save_pdf's params → std::fs::copy; correctly did NOT flag health_get_snapshot (Command::new sinks live in separate helpers outside the command body). All 3 language-routing paths verified.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@Wolfvin Wolfvin merged commit 77a8265 into main Jul 12, 2026
1 of 7 checks passed
@Wolfvin Wolfvin deleted the feat/issue-240-rust-tauri-taint branch July 12, 2026 13:05
…loses #240)

security --check taint previously had zero Rust coverage
(ast_taint_engine.get_supported_languages() is Python/JS/TS/TSX only).
Verified this session on a real Tauri workspace: genuine param->sink
flows in .rs files invisible to the scanner.

Scope narrowed from the original issue during design (see
docs/design/0240-tauri-command-param-taint.md): full cross-language IPC
correlation (tracing a TS invoke() call across the boundary to its Rust
command) needs cross-language graph edges the current architecture
doesn't build. But it's not needed for most of the value — every
#[tauri::command] parameter is untrusted-by-construction (that IS how
Tauri's IPC delivers frontend data), so the command attribute itself
marks the taint source and it reduces to an intra-procedural problem.

New scripts/rust_command_taint.py: regex-based (documented trade-off vs
full AST — possible false positives on sanitized params, no sanitizer
allowlist in v1, every param->sink flow reported for review). Detects a
tauri command parameter reaching Command::new / std::process::Command /
std::fs path ops within the brace-matched function body.

Routing in taint.py: --language rust runs only this scanner; default
(no --language) merges its findings into the Python/JS taint output;
--language python/js/ts is unaffected. Verified all three paths.

Verified on the real workspace: correctly flagged save_pdf's
temp_path/save_path -> std::fs::copy (a real param->sink flow, has
validators the MVP intentionally doesn't analyze), and correctly did
NOT flag health_get_snapshot where the Command::new sinks live in
separate helper functions outside the command body.
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(security): Tauri IPC-aware taint MVP — invoke() source to #[tauri::command] sink

1 participant