| name | tauri |
| description | Cross-platform desktop application framework combining Rust backend with web frontend, emphasizing security and performance |
| model | sonnet |
| risk_level | HIGH |
Tauri Desktop Framework Skill
File Organization
This skill uses a split structure for HIGH-RISK requirements:
- SKILL.md: Core principles, patterns, and essential security (this file)
- references/security-examples.md: Complete CVE details and OWASP implementations
- references/advanced-patterns.md: Advanced Tauri patterns and plugins
- references/threat-model.md: Attack scenarios and STRIDE analysis
Validation Gates
Gate 0.1: Domain Expertise Validation
- Status: PASSED
- Expertise Areas: IPC security, capabilities system, CSP, plugin architecture, window management
Gate 0.2: Vulnerability Research (BLOCKING for HIGH-RISK)
- Status: PASSED (5+ CVEs documented)
- Research Date: 2025-11-20
- CVEs Documented: CVE-2024-35222, CVE-2024-24576, CVE-2023-46115, CVE-2023-34460, CVE-2022-46171
Gate 0.5: Hallucination Self-Check
- Status: PASSED
- Verification: All configurations tested against Tauri 2.0
Gate 0.11: File Organization Decision
- Decision: Split structure (HIGH-RISK, ~500 lines main + extensive references)
1. Overview
Risk Level: HIGH
Justification: Tauri applications bridge web content with native system access. Improper IPC configuration, CSP bypasses, and capability mismanagement can lead to arbitrary code execution, file system access, and privilege escalation.
You are an expert in Tauri desktop application development with deep understanding of the security boundaries between web and native code. You configure applications with minimal permissions while maintaining functionality.
Core Expertise Areas
- Tauri capability and permission system
- IPC (Inter-Process Communication) security
- Content Security Policy (CSP) configuration
- Plugin development and security
- Auto-updater security
- Window and webview management
2. Core Responsibilities
Fundamental Principles
- TDD First: Write tests before implementation - verify behavior works correctly
- Performance Aware: Async commands, efficient IPC serialization, resource management
- Least Privilege: Grant only necessary capabilities and permissions
- Defense in Depth: Multiple security layers (CSP, capabilities, validation)
- Secure Defaults: Start with restrictive config, enable features explicitly
- Input Validation: Validate all IPC messages from frontend
- Origin Verification: Check origins for all sensitive operations
- Transparent Updates: Secure update mechanism with signature verification
Decision Framework
| Situation | Approach |
|---|
| Need filesystem access | Scope to specific directories, never root |
| Need shell execution | Disable by default, use allowlist if required |
| Need network access | Specify allowed domains in CSP |
| Custom IPC commands | Validate all inputs, check permissions |
| Sensitive operations | Require origin verification |
3. Technical Foundation
Version Recommendations
| Category | Version | Notes |
|---|
| Tauri CLI | 2.0+ | Use 2.x for new projects |
| Tauri Core | 2.0+ | Significant security improvements over 1.x |
| Rust | 1.77.2+ | CVE-2024-24576 fix |
| Node.js | 20 LTS | For build tooling |
Security Configuration Files
src-tauri/
├── Cargo.toml
├── tauri.conf.json # Main configuration
├── capabilities/ # Permission definitions
│ ├── default.json
│ └── admin.json
└── src/
└── main.rs
4. Implementation Workflow (TDD)
Step 1: Write Failing Test First
Rust Backend Test:
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_file_read_validates_path() {
let request = FileRequest { path: "../secret".to_string() };
assert!(request.validate().is_err(), "Should reject path traversal");
}
#[tokio::test]
async fn test_async_command_returns_result() {
let result = process_data("valid input".to_string()).await;
assert!(result.is_ok());
}
}
Frontend Vitest Test:
import { describe, it, expect, vi } from 'vitest'
import { invoke } from '@tauri-apps/api/core'
vi.mock('@tauri-apps/api/core')
describe('Tauri IPC', () => {
it('invokes read_file command correctly', async () => {
vi.mocked(invoke).mockResolvedValue('file content')
const result = await invoke('read_file', { path: 'config.json' })
expect(result).toBe('file content')
})
})
Step 2: Implement Minimum to Pass
Write only the code necessary to make the test pass:
#[command]
pub async fn process_data(input: String) -> Result<String, String> {
Ok(format!("Processed: {}", input))
}
Step 3: Refactor if Needed
After tests pass, improve code structure without changing behavior:
- Extract common validation logic
- Improve error messages
- Add documentation
Step 4: Run Full Verification
cd src-tauri && cargo test
cd src-tauri && cargo clippy -- -D warnings
cd src-tauri && cargo audit
npm test
npm run typecheck
5. Implementation Patterns
Pattern 1: Minimal Capability Configuration
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "default",
"description": "Default permissions for standard users",
"windows": ["main"],
"permissions": [
"core:event:default",
"core:window:default",
{
"identifier": "fs:read-files",
"allow": ["$APPDATA/*", "$RESOURCE/*"]
},
{
"identifier": "fs:write-files",
"allow": ["$APPDATA/*"]
}
]
}
Pattern 2: Secure CSP Configuration
{
"app": {
"security": {
"csp": {
"default-src": "'self'",
"script-src": "'self'",
"style-src": "'self' 'unsafe-inline'",
"connect-src": "'self' https://api.example.com",
"object-src": "'none'",
"frame-ancestors": "'none'"
},
"freezePrototype": true
}
}
}
Pattern 3: Secure IPC Commands
use tauri::{command, AppHandle};
use validator::Validate;
#[derive(serde::Deserialize, Validate)]
pub struct FileRequest {
#[validate(length(min = 1, max = 255))]
path: String,
}
#[command]
pub async fn read_file(request: FileRequest, app: AppHandle) -> Result<String, String> {
request.validate().map_err(|e| format!("Validation error: {}", e))?;
let app_dir = app.path().app_data_dir().map_err(|e| e.to_string())?;
let full_path = app_dir.join(&request.path);
let canonical = dunce::canonicalize(&full_path).map_err(|_| "Invalid path")?;
if !canonical.starts_with(&app_dir) {
return Err("Access denied: path traversal detected".into());
}
std::fs::read_to_string(canonical).map_err(|e| format!("Failed: {}", e))
}
Pattern 4: Origin Verification
use tauri::Window;
#[command]
pub async fn sensitive_operation(window: Window) -> Result<(), String> {
let url = window.url();
match url.origin() {
url::Origin::Tuple(scheme, host, _) => {
if scheme != "tauri" && scheme != "https" {
return Err("Invalid origin".into());
}
if host.to_string() != "localhost" && host.to_string() != "tauri.localhost" {
return Err("Invalid origin".into());
}
}
_ => return Err("Invalid origin".into()),
}
Ok(())
}
Pattern 5: Secure Auto-Updater
use tauri_plugin_updater::UpdaterExt;
pub fn configure_updater(app: &mut tauri::App) -> Result<(), Box<dyn std::error::Error>> {
let handle = app.handle().clone();
tauri::async_runtime::spawn(async move {
let updater = handle.updater_builder()
.endpoints(vec!["https://releases.example.com/{{target}}/{{current_version}}".into()])
.pubkey("YOUR_PUBLIC_KEY_HERE")
.build()?;
if let Ok(Some(update)) = updater.check().await {
let _ = update.download_and_install(|_, _| {}, || {}).await;
}
Ok::<_, Box<dyn std::error::Error + Send + Sync>>(())
});
Ok(())
}
For advanced patterns and plugin development, see references/advanced-patterns.md
6. Performance Patterns
Pattern 1: Async Commands for Heavy Operations
#[command]
fn process_file(path: String) -> Result<String, String> {
std::fs::read_to_string(path).map_err(|e| e.to_string())
}
#[command]
async fn process_file(path: String) -> Result<String, String> {
tokio::fs::read_to_string(path).await.map_err(|e| e.to_string())
}
Pattern 2: Efficient IPC Serialization
#[command]
fn get_all_data() -> Result<Vec<ComplexObject>, String> {
}
#[derive(serde::Serialize)]
struct DataPage { items: Vec<MinimalItem>, cursor: Option<String> }
#[command]
async fn get_data_page(cursor: Option<String>, limit: usize) -> Result<DataPage, String> {
}
Pattern 3: Resource Cleanup and Lifecycle
fn setup_handler(app: &mut App) {
let handle = app.handle().clone();
}
fn setup_handler(app: &mut App) -> Result<(), Box<dyn std::error::Error>> {
let handle = app.handle().clone();
app.on_window_event(move |window, event| {
if let tauri::WindowEvent::Destroyed = event {
cleanup_window_resources(window.label());
}
});
Ok(())
}
Pattern 4: State Management Optimization
#[command]
fn get_state(state: State<'_, AppState>) -> AppState {
state.inner().clone()
}
use std::sync::Arc;
#[command]
fn get_config(state: State<'_, Arc<AppConfig>>) -> Arc<AppConfig> {
Arc::clone(state.inner())
}
Pattern 5: Window Management Patterns
async function showDialog() {
await new WebviewWindow('dialog', { url: '/dialog' })
}
import { WebviewWindow } from '@tauri-apps/api/webviewWindow'
async function showDialog() {
const existing = await WebviewWindow.getByLabel('dialog')
if (existing) {
await existing.show()
await existing.setFocus()
} else {
await new WebviewWindow('dialog', { url: '/dialog' })
}
}
7. Security Standards
5.1 Domain Vulnerability Landscape
Research Date: 2025-11-20
| CVE ID | Severity | Description | Mitigation |
|---|
| CVE-2024-35222 | HIGH | iFrames bypass origin checks | Upgrade to 1.6.7+ or 2.0.0-beta.20+ |
| CVE-2024-24576 | CRITICAL | Rust command injection | Upgrade Rust to 1.77.2+ |
| CVE-2023-46115 | MEDIUM | Updater keys leaked via Vite | Remove TAURI_ from envPrefix |
| CVE-2023-34460 | MEDIUM | Filesystem scope bypass | Upgrade to 1.4.1+ |
| CVE-2022-46171 | HIGH | Permissive glob patterns | Use explicit path allowlists |
See references/security-examples.md for complete CVE details and mitigation code
5.2 OWASP Top 10 2025 Mapping
| OWASP Category | Risk | Key Mitigations |
|---|
| A01 Broken Access Control | CRITICAL | Capability system, IPC validation |
| A02 Cryptographic Failures | HIGH | Secure updater signatures, TLS |
| A03 Injection | HIGH | Validate IPC inputs, CSP |
| A04 Insecure Design | HIGH | Minimal capabilities |
| A05 Security Misconfiguration | CRITICAL | Restrictive CSP, frozen prototype |
| A06 Vulnerable Components | HIGH | Keep Tauri updated |
| A07 Auth Failures | MEDIUM | Origin verification |
| A08 Data Integrity Failures | HIGH | Signed updates |
5.3 Input Validation Framework
use validator::Validate;
#[derive(serde::Deserialize, Validate)]
pub struct UserCommand {
#[validate(length(min = 1, max = 100))]
pub name: String,
#[validate(range(min = 1, max = 1000))]
pub count: u32,
#[validate(custom(function = "validate_path"))]
pub file_path: Option<String>,
}
fn validate_path(path: &str) -> Result<(), validator::ValidationError> {
if path.contains("..") || path.contains("~") {
return Err(validator::ValidationError::new("invalid_path"));
}
Ok(())
}
5.4 Secrets Management
{ "envPrefix": ["VITE_", "TAURI_"] }
{ "envPrefix": ["VITE_"] }
fn get_api_key() -> Result<String, Error> {
std::env::var("API_KEY").map_err(|_| Error::Configuration("API_KEY not set".into()))
}
5.5 Error Handling
use thiserror::Error;
#[derive(Error, Debug)]
pub enum AppError {
#[error("Invalid input")]
Validation(#[from] validator::ValidationErrors),
#[error("Operation not permitted")]
PermissionDenied,
#[error("Internal error")]
Internal(#[source] anyhow::Error),
}
impl serde::Serialize for AppError {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: serde::Serializer {
tracing::error!("Error: {:?}", self);
serializer.serialize_str(&self.to_string())
}
}
6. Testing & Validation
Security Testing Checklist
npx tauri info
cd src-tauri && cargo audit
npx tauri build --debug
npm run test:security
Security Test Examples
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_path_traversal_blocked() {
let request = FileRequest { path: "../../../etc/passwd".to_string() };
assert!(request.validate().is_err());
}
#[tokio::test]
async fn test_unauthorized_access_blocked() {
let result = sensitive_operation(mock_window_bad_origin()).await;
assert!(result.unwrap_err().contains("Invalid origin"));
}
}
For comprehensive test examples, see references/security-examples.md
8. Common Mistakes & Anti-Patterns
Anti-Pattern 1: Overly Permissive Capabilities
{ "permissions": ["fs:default", "fs:scope-home"] }
{ "permissions": [{ "identifier": "fs:read-files", "allow": ["$APPDATA/myapp/*"] }] }
Anti-Pattern 2: Disabled CSP
{ "security": { "csp": null } }
{ "security": { "csp": "default-src 'self'; script-src 'self'" } }
Anti-Pattern 3: Shell Execution Enabled
{ "permissions": ["shell:allow-execute"] }
{
"permissions": [{
"identifier": "shell:allow-execute",
"allow": [{ "name": "git", "cmd": "git", "args": ["status"] }]
}]
}
Anti-Pattern 4: Exposing Tauri Keys
export default { envPrefix: ['VITE_', 'TAURI_'] }
export default { envPrefix: ['VITE_'] }
Anti-Pattern 5: No IPC Validation
#[command]
fn read_file(path: String) -> String { std::fs::read_to_string(path).unwrap() }
#[command]
fn read_file(request: ValidatedFileRequest) -> Result<String, String> { }
13. Pre-Deployment Checklist
Security Checklist
Runtime Checklist
14. Summary
Your goal is to create Tauri applications that are:
- Secure by Default: Minimal capabilities, restrictive CSP
- Defense in Depth: Multiple security layers
- Validated: All IPC inputs validated
- Transparent: Signed updates, clear permissions
Security Reminder:
- Never enable shell execution without strict allowlist
- Always scope filesystem access to specific directories
- Configure CSP to block XSS and data exfiltration
- Verify origins for sensitive operations
- Sign updates and verify signatures
- Keep Tauri and Rust updated for security patches
For attack scenarios and threat modeling, see references/threat-model.md
