fix: add Isolation Pattern to tauri app

- added proper security IPC Isolation Pattern
- begin migratio not tauri FS API for proper path sanitization

Author: ZanzyTHEbar

GUI/ETVR/dist-isolation/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8" />
+    <title>Isolation Secure Script</title>
+</head>
+
+<body>
+    <script src="index.js"></script>
+</body>
+
+</html>

GUI/ETVR/dist-isolation/index.js

@@ -0,0 +1,5 @@
+window.__TAURI_ISOLATION_HOOK__ = (payload) => {
+    // let's not verify or modify anything, just print the content from the hook
+    console.log('hook', payload)
+    return payload
+}

GUI/ETVR/src-tauri/Cargo.lock

@@ -31,7 +31,7 @@ features = ["derive"]
 
 [dependencies.tauri]
 version = "1.1.1"
-features = [
+features = [ "isolation",
     "protocol-asset",
     "fs-all",
     "shell-sidecar",
@@ -84,7 +84,7 @@ features = ["full"]
 
 [build-dependencies.tauri-build]
 version = "1.1.1"
-features = []
+features = ["isolation"]
 
 [profile.dev]
 debug = 0

GUI/ETVR/src-tauri/Cargo.toml

@@ -146,7 +146,11 @@ async fn close_splashscreen(window: tauri::Window) {
 }
 
 #[tauri::command]
-async fn unzip_archive(archive_path: String, target_dir: String) -> Result<String, String> {
+async fn unzip_archive(
+  window: tauri::Window,
+  archive_path: String,
+  target_dir: String,
+) -> Result<String, String> {
   // The third parameter allows you to strip away toplevel directories.
   // If `archive` contained a single directory, its contents would be extracted instead.
   let _target_dir = std::path::PathBuf::from(target_dir); // Doesn't need to exist
@@ -155,18 +159,13 @@ async fn unzip_archive(archive_path: String, target_dir: String) -> Result<Strin
   zip_extract::extract(std::io::Cursor::new(archive), &_target_dir, true)
     .expect("Failed to extract archive");
 
-  // erase the archive
-  std::fs::remove_file(archive_path).expect("Failed to remove archive");
+  // erase the archive file
+  //window.app_handle(|app| {
+  //  let _ = app.remove_path(&archive_path);
+  //});
   Ok("Archive extracted".to_string())
 }
 
-#[tauri::command]
-async fn remove_archive(archive_path: String) -> Result<String, String> {
-  // erase the archive
-  std::fs::remove_file(archive_path).expect("Failed to remove archive");
-  Ok("Archive removed".to_string())
-}
-
 fn main() {
   let quit = CustomMenuItem::new("quit".to_string(), "Quit");
   let hide = CustomMenuItem::new("hide".to_string(), "Hide");
@@ -194,8 +193,7 @@ fn main() {
       run_mdns_query,
       get_user,
       do_rest_request,
-      unzip_archive,
-      remove_archive
+      unzip_archive
     ])
     // allow only one instance and propgate args and cwd to existing instance
     .plugin(tauri_plugin_single_instance::init(|app, args, cwd| {

GUI/ETVR/src-tauri/src/main.rs

@@ -11,6 +11,12 @@
     "version": "1.0.0"
   },
   "tauri": {
+    "pattern": {
+      "use": "isolation",
+      "options": {
+        "dir": "../dist-isolation"
+      }
+    },
     "allowlist": {
       "all": false,
       "clipboard": {

GUI/ETVR/src-tauri/tauri.conf.json

@@ -10,8 +10,8 @@ export const EraseButton = () => {
         const appConfigPath = await appConfigDir()
         const firmwarePath = await join(appConfigPath, 'merged-firmware.bin')
         const manifestPath = await join(appConfigPath, 'manifest.json')
-        await invoke('remove_archive', { archivePath: firmwarePath })
-        await invoke('remove_archive', { archivePath: manifestPath })
+        //await invoke('remove_archive', { archivePath: firmwarePath })
+        //await invoke('remove_archive', { archivePath: manifestPath })
     }
 
     return (