Harden input validation, CSP, and temp file handling

- Add missing image name validation to install/uninstall commands
- Switch mount options sanitization from blacklist to whitelist
- Use unique sentinel for silent auth expiry to avoid collisions
- Use tempfile crate for askpass script (random filenames)
- Remove unused data: URIs from CSP img-src and font-src
- Align device path validation between frontend and backend
- Fix mount status text when no disks are connected

Author: fenio

src-tauri/Cargo.lock

@@ -26,6 +26,7 @@ portable-pty = "0.9"
 tauri-plugin-process = "2.3.1"
 tauri-plugin-notification = "2.3.3"
 tauri-plugin-dialog = "2"
+tempfile = "3.25.0"
 
 [target.'cfg(target_os = "macos")'.dependencies]
 objc2-app-kit = { version = "0.3", features = ["NSApplication", "NSRunningApplication"] }

src-tauri/Cargo.toml

@@ -257,7 +257,7 @@ fn execute_with_sudo(args: &[&str], passphrase: Option<&str>, silent: bool) -> R
         None => {
             if silent {
                 log::debug!("sudo: native auth expired, silent mode — skipping password dialog");
-                return Err("AUTH_EXPIRED".to_string());
+                return Err("ALFS_SILENT_AUTH_EXPIRED".to_string());
             }
             log::debug!("sudo: native auth unavailable, falling back to password dialog");
         }
@@ -345,33 +345,32 @@ fn execute_with_sudo(args: &[&str], passphrase: Option<&str>, silent: bool) -> R
 
 fn create_askpass_script() -> Result<String, String> {
     use std::io::Write;
-    use std::os::unix::fs::OpenOptionsExt;
-
-    // Use unique filename with PID and timestamp to prevent race conditions
-    let pid = std::process::id();
-    let timestamp = std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .map(|d| d.as_nanos())
-        .unwrap_or(0);
-    let script_path = format!("/tmp/anylinuxfs-askpass-{}-{}.sh", pid, timestamp);
+    use std::os::unix::fs::PermissionsExt;
 
     // Create askpass script that uses osascript to prompt for password
     // The password goes directly from osascript to sudo, never through our app
     let script_content = r#"#!/bin/bash
 osascript -e 'Tell application "System Events" to display dialog "anylinuxfs requires administrator privileges." & return & return & "Enter your password:" with hidden answer default answer "" buttons {"Cancel", "OK"} default button "OK" with title "Authentication Required" with icon caution' -e 'text returned of result' 2>/dev/null
 "#;
 
-    // Create file with restrictive permissions from the start (0700)
-    // This prevents TOCTOU race conditions
-    let mut file = fs::OpenOptions::new()
-        .write(true)
-        .create_new(true)  // Fail if file already exists
-        .mode(0o700)
-        .open(&script_path)
+    // Use tempfile for a cryptographically random filename, preventing symlink attacks
+    let mut file = tempfile::Builder::new()
+        .prefix("anylinuxfs-askpass-")
+        .suffix(".sh")
+        .tempfile()
         .map_err(|e| format!("Failed to create askpass script: {}", e))?;
 
+    // Set restrictive permissions (owner-only executable)
+    file.as_file().set_permissions(fs::Permissions::from_mode(0o700))
+        .map_err(|e| format!("Failed to set askpass script permissions: {}", e))?;
+
     file.write_all(script_content.as_bytes())
         .map_err(|e| format!("Failed to write askpass script: {}", e))?;
 
-    Ok(script_path)
+    // Persist the file (disables auto-delete) so sudo can read it;
+    // the caller is responsible for removing it after use
+    let (_, path) = file.keep()
+        .map_err(|e| format!("Failed to persist askpass script: {}", e))?;
+
+    Ok(path.to_string_lossy().to_string())
 }

src-tauri/src/cli.rs

@@ -19,11 +19,12 @@ fn validate_device_path(device: &str) -> Result<(), String> {
         return Err("Device path cannot contain '..'".to_string());
     }
     if device.starts_with("/dev/") {
-        // Normal device: allow alphanumeric, slash, dash, underscore
-        let valid_chars = device.chars().all(|c| {
-            c.is_ascii_alphanumeric() || c == '/' || c == '-' || c == '_'
+        // Normal device: only allow alphanumeric, dash, underscore after /dev/ prefix
+        let suffix = &device["/dev/".len()..];
+        let valid_chars = suffix.chars().all(|c| {
+            c.is_ascii_alphanumeric() || c == '-' || c == '_'
         });
-        if !valid_chars {
+        if suffix.is_empty() || !valid_chars {
             return Err("Device path contains invalid characters".to_string());
         }
     } else if device.starts_with("raid:") || device.starts_with("lvm:") {
@@ -496,10 +497,12 @@ pub async fn mount_disk(app: AppHandle, device: String, passphrase: Option<Strin
     // Validate device path before use
     validate_device_path(&device)?;
 
-    // Sanitize extra_options to prevent command injection
+    // Sanitize extra_options with a whitelist to prevent command injection
     if let Some(ref opts) = extra_options {
-        let forbidden = [';', '|', '&', '`', '$', '(', ')', '\n', '\r'];
-        if opts.chars().any(|c| forbidden.contains(&c)) {
+        let valid = opts.chars().all(|c| {
+            c.is_ascii_alphanumeric() || matches!(c, ',' | '.' | '_' | '-' | '=' | '/')
+        });
+        if !valid {
             return Err("Mount options contain invalid characters".to_string());
         }
     }

src-tauri/src/commands/disk.rs

@@ -1,6 +1,22 @@
 use serde::Serialize;
 use crate::cli::execute_command;
 
+/// Validate image name format to prevent path traversal or command injection.
+/// Image names should only contain alphanumeric characters, hyphens, dots, and underscores.
+pub fn validate_image_name(image: &str) -> Result<(), String> {
+    if image.is_empty() {
+        return Err("Image name cannot be empty".to_string());
+    }
+    let valid = image.chars().all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.' || c == '_');
+    if !valid {
+        return Err(format!("Invalid image name '{}': contains invalid characters", image));
+    }
+    if image.contains("..") {
+        return Err("Image name cannot contain '..'".to_string());
+    }
+    Ok(())
+}
+
 #[derive(Debug, Clone, Serialize)]
 pub struct VmImage {
     pub name: String,
@@ -33,6 +49,7 @@ pub fn list_images() -> Result<Vec<VmImage>, String> {
 
 #[tauri::command]
 pub async fn install_image(name: String) -> Result<(), String> {
+    validate_image_name(&name)?;
     tokio::task::spawn_blocking(move || {
         execute_command(&["image", "install", &name], false, None, false)?;
         Ok(())
@@ -43,6 +60,7 @@ pub async fn install_image(name: String) -> Result<(), String> {
 
 #[tauri::command]
 pub async fn uninstall_image(name: String) -> Result<(), String> {
+    validate_image_name(&name)?;
     tokio::task::spawn_blocking(move || {
         execute_command(&["image", "uninstall", &name], false, None, false)?;
         Ok(())

src-tauri/src/commands/image.rs

@@ -3,22 +3,7 @@ use std::io::{Read, Write};
 use std::sync::{Arc, Mutex};
 use tauri::{AppHandle, Emitter};
 use crate::cli::get_path;
-
-/// Validate image name format to prevent path traversal or command injection
-/// Image names should only contain alphanumeric characters, hyphens, dots, and underscores
-fn validate_image_name(image: &str) -> Result<(), String> {
-    if image.is_empty() {
-        return Err("Image name cannot be empty".to_string());
-    }
-    let valid = image.chars().all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.' || c == '_');
-    if !valid {
-        return Err(format!("Invalid image name '{}': contains invalid characters", image));
-    }
-    if image.contains("..") {
-        return Err("Image name cannot contain '..'".to_string());
-    }
-    Ok(())
-}
+use super::image::validate_image_name;
 
 pub struct PtyState {
     writer: Option<Box<dyn Write + Send>>,

src-tauri/src/commands/shell.rs

@@ -27,7 +27,7 @@
       }
     ],
     "security": {
-      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: data:; font-src 'self' data:; connect-src ipc: http://ipc.localhost"
+      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset:; font-src 'self'; connect-src ipc: http://ipc.localhost"
     }
   },
   "bundle": {

src-tauri/tauri.conf.json

@@ -128,7 +128,7 @@
 		<div class="status-info">
 			<div class="status-label">No disk mounted</div>
 			<div class="status-details">
-				<span class="detail-item">Select a partition below to mount</span>
+				<span class="detail-item">{$disks.disks.length > 0 ? 'Select a partition below to mount' : 'Connect a drive to get started'}</span>
 			</div>
 		</div>
 	</div>

src/components/MountStatus.svelte

@@ -22,7 +22,7 @@ export const Limits = {
 } as const;
 
 // Device validation
-const DEVICE_PATH_REGEX = /^\/dev\/[a-zA-Z0-9_-]+[a-zA-Z0-9_\-s]*$/;
+const DEVICE_PATH_REGEX = /^\/dev\/[a-zA-Z0-9_-]+$/;
 const RAID_PATH_REGEX = /^raid:[a-zA-Z0-9:_-]+$/;
 const LVM_PATH_REGEX = /^lvm:[a-zA-Z0-9:_-]+$/;
 

src/lib/constants.ts

@@ -48,7 +48,7 @@ function createDisksStore() {
 				}));
 			} catch (e) {
 				const rawError = String(e);
-				if (silent && rawError.includes('AUTH_EXPIRED')) {
+				if (silent && rawError.includes('ALFS_SILENT_AUTH_EXPIRED')) {
 					// Credentials expired during auto-refresh — disable admin mode quietly
 					currentAdminMode = false;
 					update((s) => ({