Skip to content

security

Douwe de Vries edited this page Jul 1, 2026 · 2 revisions

Security

Active contributors: Douwe de Vries

CSV Align is a local application for comparing user-selected CSV files. It has no authentication or authorization layer because the app is intended to run on the user's own machine, either as a loopback web server or a desktop app. Do not expose the local web server beyond 127.0.0.1.

Trust boundaries

Boundary What crosses it Controls
Browser to local Axum server HTTP requests under /api/*, multipart CSV uploads, JSON bodies, and download responses. Server binds to 127.0.0.1:3001; route and body handling lives in /Users/vriesd/projects/csv-align/src/api/app.rs and /Users/vriesd/projects/csv-align/src/api/handlers.rs.
Tauri WebView to Rust commands invoke(...) payloads, selected CSV bytes, and command return values. Command names are registered in /Users/vriesd/projects/csv-align/src-tauri/src/main.rs and implemented in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs.
App to local filesystem User-selected CSV inputs, exported CSV/HTML files, pair-order text files, and snapshot JSON files. Desktop writes use native save/open dialogs; browser mode uses user-selected files and downloaded attachments.
Release artifacts to users macOS app bundles, Linux packages, APT repository metadata, and setup packages. Signing and verification details are documented in /Users/vriesd/projects/csv-align/docs/releasing.md and implemented through release workflows.

Local file handling

CSV files enter the app only through user selection. Browser mode posts a selected File as multipart form data. Desktop mode reads selected file bytes in /Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts and sends them to load_csv_bytes; desktop path loading is disabled in the frontend service. The path-based Tauri load_csv function in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs is compiled only for tests and is not registered for production.

The CSV parser in /Users/vriesd/projects/csv-align/src/data/csv_loader.rs rejects duplicate headers and malformed rows, detects comma or semicolon delimiters, strips a UTF-8 BOM, and decodes file bytes before parsing.

Upload and load limits

Limit Enforcement
25 MiB CSV file size Frontend validation in /Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts, multipart byte accumulation in /Users/vriesd/projects/csv-align/src/api/handlers.rs, and backend source validation in /Users/vriesd/projects/csv-align/src/backend/workflow.rs.
CSV upload body allowance DefaultBodyLimit::max(MAX_CSV_FILE_BYTES * 2) on the upload route in /Users/vriesd/projects/csv-align/src/api/app.rs, allowing multipart overhead while still rejecting file bytes over 25 MiB.
Comparison snapshot load body allowance DefaultBodyLimit::max(MAX_CSV_FILE_BYTES * 4) on the snapshot load route in /Users/vriesd/projects/csv-align/src/api/app.rs.
Session count and memory budget /Users/vriesd/projects/csv-align/src/backend/store.rs caps sessions at 128 by default, expires idle sessions after one hour, and evicts over-budget sessions above an estimated 512 MiB total.

Session state

Sessions are in-memory only. /Users/vriesd/projects/csv-align/src/backend/store.rs generates UUID session IDs, tracks last access times, and removes old sessions when count, idle-timeout, or estimated-byte limits are exceeded. There is no persistence of loaded CSV data unless the user explicitly exports results, saves a pair-order file, or saves a comparison snapshot.

CSP and desktop capabilities

The Tauri CSP in /Users/vriesd/projects/csv-align/src-tauri/tauri.conf.json keeps production scripts on self, allows inline styles, permits local asset/blob/data images, limits connect targets to the Tauri IPC endpoints and self, blocks objects, restricts base-uri, and prevents framing. The separate dev CSP adds localhost Vite and WebSocket endpoints for development.

The desktop capability file /Users/vriesd/projects/csv-align/src-tauri/capabilities/default.json grants default core permissions, webview window creation, and dialog open/save permissions. File-system access for user workflows goes through the dialog-backed command paths in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs.

Export safety

Browser exports are returned as attachments with fixed filenames from /Users/vriesd/projects/csv-align/src/api/handlers.rs. Desktop exports write only after the user selects a destination path in a native save dialog. CSV exports are generated by backend workflow code, while desktop HTML export writes the frontend-provided HTML string to the user-selected file.

Pair-order files and comparison snapshots are explicit user actions. Browser mode downloads or reads user-selected files. Desktop mode uses native save/open dialogs and returns None on cancellation.

Release signing and distribution

Release signing is handled outside the running app:

  • macOS release builds require Developer ID certificate secrets and App Store Connect API key credentials for signing, notarization, and stapling.
  • Debian packages are signed with dpkg-sig when the configured GPG signing secrets are present.
  • The APT repository publishes signed InRelease and Release.gpg metadata and a hosted keyring for repository verification.
  • The installer script verifies the setup package SHA256 sidecar signature and checksum before installing the repository setup package.
  • RPM assets are published separately and are not part of the Debian dpkg-sig signing flow.

See /Users/vriesd/projects/csv-align/docs/releasing.md and deployment for packaging context.

Related pages

Key source files

File Purpose
/Users/vriesd/projects/csv-align/src/main.rs Binds the local web server to 127.0.0.1:3001 and initializes local logging.
/Users/vriesd/projects/csv-align/src/api/app.rs Defines HTTP routes and route body limits.
/Users/vriesd/projects/csv-align/src/api/handlers.rs Reads multipart uploads, enforces upload byte limits, and emits attachment responses.
/Users/vriesd/projects/csv-align/src/backend/workflow.rs Enforces the 25 MiB CSV load limit and shared workflow validation.
/Users/vriesd/projects/csv-align/src/backend/store.rs Caps session count, idle duration, and total estimated stored bytes.
/Users/vriesd/projects/csv-align/src/data/csv_loader.rs Parses CSV bytes and rejects duplicate headers or malformed rows.
/Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts Validates frontend CSV file sizes and disables desktop path loading.
/Users/vriesd/projects/csv-align/src-tauri/tauri.conf.json Defines Tauri CSP, dev CSP, window settings, and bundle metadata.
/Users/vriesd/projects/csv-align/src-tauri/capabilities/default.json Grants desktop permissions for core/webview behavior and dialogs.
/Users/vriesd/projects/csv-align/docs/releasing.md Documents release signing, notarization, Debian package signing, and APT repository signing.

Clone this wiki locally