search

tauri-apps / tauri

Build smaller, faster, and more secure desktop and mobile applications with a web frontend.
https://tauri.app
Apache License 2.0
82.62k stars 2.48k forks source link

[bug]My system username is leaked in binary file #6538

Open kwpal opened 1 year ago

kwpal commented 1 year ago

Describe the bug

Based on the recommand options from official website, I have set strip = true, but the compiled binary still contains my system username.

binary screenshot:

username

Reproduction

  1. sh <(curl https://create.tauri.app/sh) 
    ✔ Project name · realapp
✔ Choose which language to use for your frontend · Rust - (cargo)
✔ Choose your UI template · Vanilla
  2. add [profile.release] in Cargo.toml 
    [profile.release]
panic = "abort"   # Strip expensive panic clean-up logic
codegen-units = 1 # Compile crates one after another so the compiler can optimize better
lto = true        # Enables link to optimizations
opt-level = "s"   # Optimize for binary size
strip = true      # Remove debug symbols
  3. cargo tauri build
  4. search username in binary: src-tauri/target/release/bundle/macos/realapp.app/Contents/MacOS/realapp

Expected behavior

Should remove my username in complied binary.

Platform and versions

Environment
  › OS: Mac OS 11.5.2 X64
  › Node.js: 18.13.0
  › npm: 8.19.3
  › pnpm: 7.26.3
  › yarn: 1.22.19
  › rustup: 1.25.2
  › rustc: 1.68.0
  › cargo: 1.68.0
  › Rust toolchain: stable-x86_64-apple-darwin

Packages
WARNING: no lock files found, defaulting to npm
  › @tauri-apps/cli [NPM]: 1.2.3
  › @tauri-apps/api [NPM]: Not installed!
  › tauri [RUST]: 1.2.4,
  › tauri-build [RUST]: 1.2.1,
  › tao [RUST]: 0.15.8,
  › wry [RUST]: 0.23.4,

App
  › build-type: bundle
  › CSP: unset
  › distDir: ../src
  › devPath: ../src
package.json not found

App directory structure
  ├─ src-tauri
  ├─ .vscode
  └─ src

Stack trace

No response

Additional context

No response

JonasKruckenberg commented 1 year ago

Okay so, interesting story. Thanks to your issue I learned about --remap-path-prefix=!

Here's what is happening: When Rust compiles your binary, for every occurrence of a panic it will include information for displaying a proper panic message. This panic includes a pointer to the line and file in question. So what you are seeing are the panic message strings that are placed into the binary by the compiler.

Now, why are these paths absolute? I have absolutely no clue! But this has been brought up before (here and here and probably many other times), so this isn't anything we're doing, but something the Rust compiler is doing.

To fix this: As mentioned in the issues I linked above there is a rust compiler flag called --remap-path-prefix= that you can use to "strip"/replace the path prefix that includes your username. You can set these flags like so:

RUSTFLAGS="--remap-path-prefix=/Users/jonas/Documents/GitHub/rust-updater/tauri-app/src-tauri/src=src --remap-path-prefix=/Users/jonas/.cargo=cargo --remap-path-prefix=/Users/jonas/.rustup=rustup" cargo tauri build

This will strip all the occurrences of your username from the final binary (at least it did on my machine)

Okay cool, I can hear you saying though "this is a stupid and incredibly unergonomic solution" and I would absolutely agree with you, arguably this should be fixed in rust. Maybe we can, as a stopgap solution, add these flags when the tauri cli compiles your app though 🤔