Context
Bugbot flagged on PR #52 (comments 3104931739, 3106546880).
Problem
apps/desktop/src-tauri/src/main.rs::parse_deep_link_arg() accepts any CLI argument starting with calimero:// and stores it verbatim into PendingCloudAuth. The frontend then parses the URL and extracts fields.
The frontend already validates the CSRF state parameter, so arbitrary calimero:// URLs can't successfully complete the login flow. But defense-in-depth on the Rust side would:
- Reject URLs whose host/path isn't
cloud-callback.
- Reject URLs over some size limit (e.g. 8 KB) to prevent pathological inputs.
- Strip or error on fragments/params we don't expect.
Scope
Small. Parse the URL with the url crate, check host + path match the expected shape, reject otherwise. Log a warning on rejection so we can see if anything in prod triggers it.
Priority
Low. The frontend CSRF state check + server-side token validation already prevent real exploitation. This is hygiene — keeps a malicious process from using the Tauri app as a URL handler for anything other than the one deep link we actually care about.
Context
Bugbot flagged on PR #52 (comments 3104931739, 3106546880).
Problem
apps/desktop/src-tauri/src/main.rs::parse_deep_link_arg()accepts any CLI argument starting withcalimero://and stores it verbatim intoPendingCloudAuth. The frontend then parses the URL and extracts fields.The frontend already validates the CSRF
stateparameter, so arbitrary calimero:// URLs can't successfully complete the login flow. But defense-in-depth on the Rust side would:cloud-callback.Scope
Small. Parse the URL with the
urlcrate, check host + path match the expected shape, reject otherwise. Log a warning on rejection so we can see if anything in prod triggers it.Priority
Low. The frontend CSRF state check + server-side token validation already prevent real exploitation. This is hygiene — keeps a malicious process from using the Tauri app as a URL handler for anything other than the one deep link we actually care about.