Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
feat(core): block remote URLs from accessing the IPC
This was cherry picked from ee71c31, keeping only the logic to block remote URLs from using the IPC.
PR: #5918
  • Loading branch information
lucasfernog committed Apr 12, 2023
1 parent 34e03b8 commit fa90214
Show file tree
Hide file tree
Showing 12 changed files with 128 additions and 57 deletions.
7 changes: 7 additions & 0 deletions .changes/remote-urls.md
@@ -0,0 +1,7 @@
---
"tauri": patch
"tauri-runtime": patch
"tauri-runtime-wry": patch
---

Block remote URLs from accessing the IPC.
2 changes: 1 addition & 1 deletion core/tauri-build/src/static_vcruntime.rs
Expand Up @@ -54,5 +54,5 @@ fn override_msvcrt_lib() {
f.write_all(bytes).unwrap();
}
// Add the output directory to the native library path.
println!("cargo:rustc-link-search=native={}", out_dir);
println!("cargo:rustc-link-search=native={out_dir}");
}
1 change: 1 addition & 0 deletions core/tauri-runtime-wry/Cargo.toml
Expand Up @@ -19,6 +19,7 @@ tauri-utils = { version = "1.0.3", path = "../tauri-utils" }
uuid = { version = "1", features = [ "v4" ] }
rand = "0.8"
raw-window-handle = "0.4.3"
url = "2"

[target."cfg(windows)".dependencies]
webview2-com = "0.16.0"
Expand Down
17 changes: 15 additions & 2 deletions core/tauri-runtime-wry/src/lib.rs
Expand Up @@ -41,6 +41,7 @@ use wry::application::platform::windows::{WindowBuilderExtWindows, WindowExtWind
use wry::application::system_tray::{SystemTray as WrySystemTray, SystemTrayBuilder};

use tauri_utils::{config::WindowConfig, debug_eprintln, Theme};
use url::Url;
use uuid::Uuid;
use wry::{
application::{
Expand Down Expand Up @@ -216,6 +217,7 @@ impl<T: UserEvent> Context<T> {
impl<T: UserEvent> Context<T> {
fn create_webview(&self, pending: PendingWindow<T, Wry<T>>) -> Result<DetachedWindow<T, Wry<T>>> {
let label = pending.label.clone();
let current_url = pending.current_url.clone();
let menu_ids = pending.menu_ids.clone();
let js_event_listeners = pending.js_event_listeners.clone();
let context = self.clone();
Expand All @@ -237,6 +239,7 @@ impl<T: UserEvent> Context<T> {
};
Ok(DetachedWindow {
label,
current_url,
dispatcher,
menu_ids,
js_event_listeners,
Expand Down Expand Up @@ -1862,6 +1865,7 @@ impl<T: UserEvent> Runtime<T> for Wry<T> {

fn create_window(&self, pending: PendingWindow<T, Self>) -> Result<DetachedWindow<T, Self>> {
let label = pending.label.clone();
let current_url = pending.current_url.clone();
let menu_ids = pending.menu_ids.clone();
let js_event_listeners = pending.js_event_listeners.clone();
let window_id = rand::random();
Expand Down Expand Up @@ -1889,6 +1893,7 @@ impl<T: UserEvent> Runtime<T> for Wry<T> {

Ok(DetachedWindow {
label,
current_url,
dispatcher,
menu_ids,
js_event_listeners,
Expand Down Expand Up @@ -2833,7 +2838,7 @@ fn create_webview<T: UserEvent>(
mut window_builder,
ipc_handler,
label,
url,
current_url,
menu_ids,
js_event_listeners,
..
Expand Down Expand Up @@ -2871,16 +2876,22 @@ fn create_webview<T: UserEvent>(
}
let mut webview_builder = WebViewBuilder::new(window)
.map_err(|e| Error::CreateWebview(Box::new(e)))?
.with_url(&url)
.with_url(current_url.lock().unwrap().as_str())
.unwrap() // safe to unwrap because we validate the URL beforehand
.with_transparent(is_window_transparent);
if webview_attributes.file_drop_handler_enabled {
webview_builder = webview_builder.with_file_drop_handler(create_file_drop_handler(&context));
}
if let Some(navigation_handler) = pending.navigation_handler {
webview_builder = webview_builder.with_navigation_handler(move |url| {
Url::parse(&url).map(&navigation_handler).unwrap_or(true)
});
}
if let Some(handler) = ipc_handler {
webview_builder = webview_builder.with_ipc_handler(create_ipc_handler(
context,
label.clone(),
current_url,
menu_ids,
js_event_listeners,
handler,
Expand Down Expand Up @@ -2984,6 +2995,7 @@ fn create_webview<T: UserEvent>(
fn create_ipc_handler<T: UserEvent>(
context: Context<T>,
label: String,
current_url: Arc<Mutex<Url>>,
menu_ids: Arc<Mutex<HashMap<MenuHash, MenuId>>>,
js_event_listeners: Arc<Mutex<HashMap<JsEventListenerKey, HashSet<u64>>>>,
handler: WebviewIpcHandler<T, Wry<T>>,
Expand All @@ -2992,6 +3004,7 @@ fn create_ipc_handler<T: UserEvent>(
let window_id = context.webview_id_map.get(&window.id());
handler(
DetachedWindow {
current_url: current_url.clone(),
dispatcher: WryDispatcher {
window_id,
context: context.clone(),
Expand Down
1 change: 1 addition & 0 deletions core/tauri-runtime/Cargo.toml
Expand Up @@ -32,6 +32,7 @@ http = "0.2.4"
http-range = "0.1.4"
infer = "0.7"
raw-window-handle = "0.4.3"
url = "2"

[target."cfg(windows)".dependencies]
webview2-com = "0.16.0"
Expand Down
20 changes: 15 additions & 5 deletions core/tauri-runtime/src/window.rs
Expand Up @@ -12,6 +12,7 @@ use crate::{
};
use serde::{Deserialize, Deserializer, Serialize};
use tauri_utils::{config::WindowConfig, Theme};
use url::Url;

use std::{
collections::{HashMap, HashSet},
Expand Down Expand Up @@ -226,14 +227,17 @@ pub struct PendingWindow<T: UserEvent, R: Runtime<T>> {
/// How to handle IPC calls on the webview window.
pub ipc_handler: Option<WebviewIpcHandler<T, R>>,

/// The resolved URL to load on the webview.
pub url: String,

/// Maps runtime id to a string menu id.
pub menu_ids: Arc<Mutex<HashMap<MenuHash, MenuId>>>,

/// A HashMap mapping JS event names with associated listener ids.
pub js_event_listeners: Arc<Mutex<HashMap<JsEventListenerKey, HashSet<u64>>>>,

/// A handler to decide if incoming url is allowed to navigate.
pub navigation_handler: Option<Box<dyn Fn(Url) -> bool + Send>>,

/// The current webview URL.
pub current_url: Arc<Mutex<Url>>,
}

pub fn is_label_valid(label: &str) -> bool {
Expand Down Expand Up @@ -270,9 +274,10 @@ impl<T: UserEvent, R: Runtime<T>> PendingWindow<T, R> {
uri_scheme_protocols: Default::default(),
label,
ipc_handler: None,
url: "tauri://localhost".to_string(),
menu_ids: Arc::new(Mutex::new(menu_ids)),
js_event_listeners: Default::default(),
navigation_handler: Default::default(),
current_url: Arc::new(Mutex::new("tauri://localhost".parse().unwrap())),
})
}
}
Expand All @@ -299,9 +304,10 @@ impl<T: UserEvent, R: Runtime<T>> PendingWindow<T, R> {
uri_scheme_protocols: Default::default(),
label,
ipc_handler: None,
url: "tauri://localhost".to_string(),
menu_ids: Arc::new(Mutex::new(menu_ids)),
js_event_listeners: Default::default(),
navigation_handler: Default::default(),
current_url: Arc::new(Mutex::new("tauri://localhost".parse().unwrap())),
})
}
}
Expand Down Expand Up @@ -342,6 +348,9 @@ pub struct JsEventListenerKey {
/// A webview window that is not yet managed by Tauri.
#[derive(Debug)]
pub struct DetachedWindow<T: UserEvent, R: Runtime<T>> {
/// The current webview URL.
pub current_url: Arc<Mutex<Url>>,

/// Name of the window
pub label: String,

Expand All @@ -358,6 +367,7 @@ pub struct DetachedWindow<T: UserEvent, R: Runtime<T>> {
impl<T: UserEvent, R: Runtime<T>> Clone for DetachedWindow<T, R> {
fn clone(&self) -> Self {
Self {
current_url: self.current_url.clone(),
label: self.label.clone(),
dispatcher: self.dispatcher.clone(),
menu_ids: self.menu_ids.clone(),
Expand Down
2 changes: 1 addition & 1 deletion core/tauri/src/app.rs
Expand Up @@ -902,7 +902,7 @@ impl<R: Runtime> Builder<R> {
#[cfg(any(windows, target_os = "linux"))]
runtime_any_thread: false,
setup: Box::new(|_| Ok(())),
invoke_handler: Box::new(|_| ()),
invoke_handler: Box::new(|invoke| invoke.resolver.reject("not implemented")),
invoke_responder: Arc::new(window_invoke_responder),
invoke_initialization_script:
"Object.defineProperty(window, '__TAURI_POST_MESSAGE__', { value: (message) => window.ipc.postMessage(JSON.stringify(message)) })".into(),
Expand Down
89 changes: 52 additions & 37 deletions core/tauri/src/manager.rs
Expand Up @@ -25,10 +25,9 @@ use tauri_utils::{
html::{SCRIPT_NONCE_TOKEN, STYLE_NONCE_TOKEN},
};

use crate::hooks::IpcJavascript;
#[cfg(feature = "isolation")]
use crate::hooks::IsolationJavascript;
use crate::pattern::{format_real_schema, PatternJavascript};
use crate::pattern::PatternJavascript;
use crate::{
app::{AppHandle, GlobalWindowEvent, GlobalWindowEventListener},
event::{assert_event_name_is_valid, Event, EventHandler, Listeners},
Expand All @@ -54,6 +53,7 @@ use crate::{
app::{GlobalMenuEventListener, WindowMenuEvent},
window::WebResourceRequestHandler,
};
use crate::{hooks::IpcJavascript, pattern::format_real_schema};

#[cfg(any(target_os = "linux", target_os = "windows"))]
use crate::api::path::{resolve_path, BaseDirectory};
Expand Down Expand Up @@ -136,7 +136,7 @@ fn set_csp<R: Runtime>(
let default_src = csp
.entry("default-src".into())
.or_insert_with(Default::default);
default_src.push(format_real_schema(schema));
default_src.push(crate::pattern::format_real_schema(schema));
}

Csp::DirectiveMap(csp).to_string()
Expand Down Expand Up @@ -225,7 +225,7 @@ pub struct InnerWindowManager<R: Runtime> {
/// The script that initializes the invoke system.
invoke_initialization_script: String,
/// Application pattern.
pattern: Pattern,
pub(crate) pattern: Pattern,
}

impl<R: Runtime> fmt::Debug for InnerWindowManager<R> {
Expand Down Expand Up @@ -357,9 +357,12 @@ impl<R: Runtime> WindowManager<R> {
/// Get the base URL to use for webview requests.
///
/// In dev mode, this will be based on the `devPath` configuration value.
fn get_url(&self) -> Cow<'_, Url> {
pub(crate) fn get_url(&self) -> Cow<'_, Url> {
match self.base_path() {
AppUrl::Url(WindowUrl::External(url)) => Cow::Borrowed(url),
#[cfg(windows)]
_ => Cow::Owned(Url::parse("https://tauri.localhost").unwrap()),
#[cfg(not(windows))]
_ => Cow::Owned(Url::parse("tauri://localhost").unwrap()),
}
}
Expand Down Expand Up @@ -467,7 +470,7 @@ impl<R: Runtime> WindowManager<R> {
});
}

let window_url = Url::parse(&pending.url).unwrap();
let window_url = pending.current_url.lock().unwrap().clone();
let window_origin =
if cfg!(windows) && window_url.scheme() != "http" && window_url.scheme() != "https" {
format!("https://{}.localhost", window_url.scheme())
Expand Down Expand Up @@ -1001,7 +1004,16 @@ mod test {
);

#[cfg(custom_protocol)]
assert_eq!(manager.get_url().to_string(), "tauri://localhost");
{
assert_eq!(
manager.get_url().to_string(),
if cfg!(windows) {
"https://tauri.localhost/"
} else {
"tauri://localhost"
}
);
}

#[cfg(dev)]
assert_eq!(manager.get_url().to_string(), "http://localhost:4000/");
Expand Down Expand Up @@ -1052,27 +1064,21 @@ impl<R: Runtime> WindowManager<R> {
return Err(crate::Error::WindowLabelAlreadyExists(pending.label));
}
#[allow(unused_mut)] // mut url only for the data-url parsing
let (is_local, mut url) = match &pending.webview_attributes.url {
let mut url = match &pending.webview_attributes.url {
WindowUrl::App(path) => {
let url = self.get_url();
(
true,
// ignore "index.html" just to simplify the url
if path.to_str() != Some("index.html") {
url
.join(&*path.to_string_lossy())
.map_err(crate::Error::InvalidUrl)
// this will never fail
.unwrap()
} else {
url.into_owned()
},
)
}
WindowUrl::External(url) => {
let config_url = self.get_url();
(config_url.make_relative(url).is_some(), url.clone())
// ignore "index.html" just to simplify the url
if path.to_str() != Some("index.html") {
url
.join(&*path.to_string_lossy())
.map_err(crate::Error::InvalidUrl)
// this will never fail
.unwrap()
} else {
url.into_owned()
}
}
WindowUrl::External(url) => url.clone(),
_ => unimplemented!(),
};

Expand All @@ -1099,7 +1105,7 @@ impl<R: Runtime> WindowManager<R> {
}
}

pending.url = url.to_string();
*pending.current_url.lock().unwrap() = url;

if !pending.window_builder.has_icon() {
if let Some(default_window_icon) = self.inner.default_window_icon.clone() {
Expand All @@ -1115,17 +1121,15 @@ impl<R: Runtime> WindowManager<R> {
}
}

if is_local {
let label = pending.label.clone();
pending = self.prepare_pending_window(
pending,
&label,
window_labels,
app_handle.clone(),
web_resource_request_handler,
)?;
pending.ipc_handler = Some(self.prepare_ipc_handler(app_handle));
}
let label = pending.label.clone();
pending = self.prepare_pending_window(
pending,
&label,
window_labels,
app_handle.clone(),
web_resource_request_handler,
)?;
pending.ipc_handler = Some(self.prepare_ipc_handler(app_handle));

// in `Windows`, we need to force a data_directory
// but we do respect user-specification
Expand All @@ -1150,6 +1154,17 @@ impl<R: Runtime> WindowManager<R> {
}
}

let current_url_ = pending.current_url.clone();
let navigation_handler = pending.navigation_handler.take();
pending.navigation_handler = Some(Box::new(move |url| {
*current_url_.lock().unwrap() = url.clone();
if let Some(handler) = &navigation_handler {
handler(url)
} else {
true
}
}));

Ok(pending)
}

Expand Down
7 changes: 5 additions & 2 deletions core/tauri/src/pattern.rs
Expand Up @@ -11,6 +11,9 @@ use serialize_to_javascript::{default_template, Template};

use tauri_utils::assets::{Assets, EmbeddedAssets};

/// The domain of the isolation iframe source.
pub const ISOLATION_IFRAME_SRC_DOMAIN: &str = "localhost";

/// An application pattern.
#[derive(Debug, Clone)]
pub enum Pattern<A: Assets = EmbeddedAssets> {
Expand Down Expand Up @@ -87,8 +90,8 @@ pub(crate) struct PatternJavascript {
#[allow(dead_code)]
pub(crate) fn format_real_schema(schema: &str) -> String {
if cfg!(windows) {
format!("https://{}.localhost", schema)
format!("https://{schema}.{ISOLATION_IFRAME_SRC_DOMAIN}")
} else {
format!("{}://localhost", schema)
format!("{schema}://{ISOLATION_IFRAME_SRC_DOMAIN}")
}
}

0 comments on commit fa90214

Please sign in to comment.