Fix (critical): scope app bridge responses/events to their webview#794
Open
Rigidity wants to merge 1 commit into
Open
Fix (critical): scope app bridge responses/events to their webview#794Rigidity wants to merge 1 commit into
Rigidity wants to merge 1 commit into
Conversation
Bridge responses and per-app runtime events were delivered with `Emitter::emit`, which in Tauri broadcasts to every webview that has a JS listener for the event name rather than only the intended one. Since `wallet.getSecretKey` (and other approval-gated) results are delivered over the `sage-bridge:response` rail, a second user app running concurrently could subscribe to that event and capture another app's secret key material and bridge results. Deliver `sage-bridge:response` and the user/system runtime event rails with `emit_to(<app webview label>, ...)` so each payload reaches only the originating app's webview. The broadcast to the trusted main Sage webview (`apps:runtime-event`) is unchanged and documented.
Contributor
|
Cherry-picked minus the comment section Can be closed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Severity: Critical (C1)
Problem
Bridge responses and per-app runtime events are delivered with
Emitter::emit. In Tauri 2.10,Webview::emitroutes tomanager.emit, which iterates all webviews and delivers to every JS listener registered for that event name — regardless of which webview handle you call it on. The scopedemit_to/emit_filtervariants were never used.Because approval-gated results (notably
wallet.getSecretKey, and signedwallet.sendXchresults) are delivered over thesage-bridge:responserail, a second user app running concurrently (taskbar runtimes allow multiple live apps) can registergetCurrentWebview().listen('sage-bridge:response', …)and read another app's payload directly viaevent.payload— including secret key material. The same applies to thesage-bridge:event/sage-system-bridge:*rails.Fix
Deliver
sage-bridge:responseand the user/system runtime-event rails withemit_to(<app webview label>, …)so each payload reaches only the originating app's webview. The SDK subscribes viagetCurrentWebview().listen(...)(anEventTarget::Webview { label }listener), whichemit_to(AnyLabel { label })matches exactly.The broadcast to the trusted main Sage webview (
apps:runtime-event, consumed byAppsContext) is intentionally left as-is and documented, because the main UI subscribes with the corelisten(targetAny) and that channel carries host-level state, not per-app secrets.Follow-up (not in this PR)
As defense-in-depth, scope the
core:event:allow-listencapability inapps.json/system-apps.jsonto an allowlist of event names so an app webview cannot subscribe toapps:runtime-eventor the opposite rail at all. The current Tauri ACL schema ingen/schemasdoesn't expose per-event scoping, so this needs a capability/schema change tracked separately.Testing
No local build (per request); relying on CI. Worth adding an integration test asserting app B never receives app A's
sage-bridge:response.Note
High Risk
Security-critical fix for wallet/bridge secret leakage across concurrent apps; behavior change is narrow but touches authentication-sensitive delivery paths.
Overview
Fixes a critical cross-app leak where
sage-bridge:responseand per-appsage-bridge:event/sage-system-bridge:eventtraffic was sent with Tauriemit, which in 2.10 can deliver to every webview listening on that event name—not only the originating app.emit_bridge_response_to_appandemit_runtime_event_to_app_idnow useemit_towith the app's webview label so bridge responses and user/system runtime events reach only that app's webview. Host-levelapps:runtime-eventemissions to the trusted Sage main webview stay onemit; a comment documents that split.Reviewed by Cursor Bugbot for commit 616f9ee. Bugbot is set up for automated code reviews on this repo. Configure here.