-
Notifications
You must be signed in to change notification settings - Fork 0
security
Active contributors: Douwe de Vries
CSV Align is a local application for comparing user-selected CSV files. It has no authentication or authorization layer because the app is intended to run on the user's own machine, either as a loopback web server or a desktop app. Do not expose the local web server beyond 127.0.0.1.
| Boundary | What crosses it | Controls |
|---|---|---|
| Browser to local Axum server | HTTP requests under /api/*, multipart CSV uploads, JSON bodies, and download responses. |
Server binds to 127.0.0.1:3001; route and body handling lives in /Users/vriesd/projects/csv-align/src/api/app.rs and /Users/vriesd/projects/csv-align/src/api/handlers.rs. |
| Tauri WebView to Rust commands |
invoke(...) payloads, selected CSV bytes, and command return values. |
Command names are registered in /Users/vriesd/projects/csv-align/src-tauri/src/main.rs and implemented in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs. |
| App to local filesystem | User-selected CSV inputs, exported CSV/HTML files, pair-order text files, and snapshot JSON files. | Desktop writes use native save/open dialogs; browser mode uses user-selected files and downloaded attachments. |
| Release artifacts to users | macOS app bundles, Linux packages, APT repository metadata, and setup packages. | Signing and verification details are documented in /Users/vriesd/projects/csv-align/docs/releasing.md and implemented through release workflows. |
CSV files enter the app only through user selection. Browser mode posts a selected File as multipart form data. Desktop mode reads selected file bytes in /Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts and sends them to load_csv_bytes; desktop path loading is disabled in the frontend service. The path-based Tauri load_csv function in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs is compiled only for tests and is not registered for production.
The CSV parser in /Users/vriesd/projects/csv-align/src/data/csv_loader.rs rejects duplicate headers and malformed rows, detects comma or semicolon delimiters, strips a UTF-8 BOM, and decodes file bytes before parsing.
| Limit | Enforcement |
|---|---|
| 25 MiB CSV file size | Frontend validation in /Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts, multipart byte accumulation in /Users/vriesd/projects/csv-align/src/api/handlers.rs, and backend source validation in /Users/vriesd/projects/csv-align/src/backend/workflow.rs. |
| CSV upload body allowance |
DefaultBodyLimit::max(MAX_CSV_FILE_BYTES * 2) on the upload route in /Users/vriesd/projects/csv-align/src/api/app.rs, allowing multipart overhead while still rejecting file bytes over 25 MiB. |
| Comparison snapshot load body allowance |
DefaultBodyLimit::max(MAX_CSV_FILE_BYTES * 4) on the snapshot load route in /Users/vriesd/projects/csv-align/src/api/app.rs. |
| Session count and memory budget |
/Users/vriesd/projects/csv-align/src/backend/store.rs caps sessions at 128 by default, expires idle sessions after one hour, and evicts over-budget sessions above an estimated 512 MiB total. |
Sessions are in-memory only. /Users/vriesd/projects/csv-align/src/backend/store.rs generates UUID session IDs, tracks last access times, and removes old sessions when count, idle-timeout, or estimated-byte limits are exceeded. There is no persistence of loaded CSV data unless the user explicitly exports results, saves a pair-order file, or saves a comparison snapshot.
The Tauri CSP in /Users/vriesd/projects/csv-align/src-tauri/tauri.conf.json keeps production scripts on self, allows inline styles, permits local asset/blob/data images, limits connect targets to the Tauri IPC endpoints and self, blocks objects, restricts base-uri, and prevents framing. The separate dev CSP adds localhost Vite and WebSocket endpoints for development.
The desktop capability file /Users/vriesd/projects/csv-align/src-tauri/capabilities/default.json grants default core permissions, webview window creation, and dialog open/save permissions. File-system access for user workflows goes through the dialog-backed command paths in /Users/vriesd/projects/csv-align/src-tauri/src/commands.rs.
Browser exports are returned as attachments with fixed filenames from /Users/vriesd/projects/csv-align/src/api/handlers.rs. Desktop exports write only after the user selects a destination path in a native save dialog. CSV exports are generated by backend workflow code, while desktop HTML export writes the frontend-provided HTML string to the user-selected file.
Pair-order files and comparison snapshots are explicit user actions. Browser mode downloads or reads user-selected files. Desktop mode uses native save/open dialogs and returns None on cancellation.
Release signing is handled outside the running app:
- macOS release builds require Developer ID certificate secrets and App Store Connect API key credentials for signing, notarization, and stapling.
- Debian packages are signed with
dpkg-sigwhen the configured GPG signing secrets are present. - The APT repository publishes signed
InReleaseandRelease.gpgmetadata and a hosted keyring for repository verification. - The installer script verifies the setup package SHA256 sidecar signature and checksum before installing the repository setup package.
- RPM assets are published separately and are not part of the Debian
dpkg-sigsigning flow.
See /Users/vriesd/projects/csv-align/docs/releasing.md and deployment for packaging context.
| File | Purpose |
|---|---|
/Users/vriesd/projects/csv-align/src/main.rs |
Binds the local web server to 127.0.0.1:3001 and initializes local logging. |
/Users/vriesd/projects/csv-align/src/api/app.rs |
Defines HTTP routes and route body limits. |
/Users/vriesd/projects/csv-align/src/api/handlers.rs |
Reads multipart uploads, enforces upload byte limits, and emits attachment responses. |
/Users/vriesd/projects/csv-align/src/backend/workflow.rs |
Enforces the 25 MiB CSV load limit and shared workflow validation. |
/Users/vriesd/projects/csv-align/src/backend/store.rs |
Caps session count, idle duration, and total estimated stored bytes. |
/Users/vriesd/projects/csv-align/src/data/csv_loader.rs |
Parses CSV bytes and rejects duplicate headers or malformed rows. |
/Users/vriesd/projects/csv-align/frontend/src/services/tauri.ts |
Validates frontend CSV file sizes and disables desktop path loading. |
/Users/vriesd/projects/csv-align/src-tauri/tauri.conf.json |
Defines Tauri CSP, dev CSP, window settings, and bundle metadata. |
/Users/vriesd/projects/csv-align/src-tauri/capabilities/default.json |
Grants desktop permissions for core/webview behavior and dialogs. |
/Users/vriesd/projects/csv-align/docs/releasing.md |
Documents release signing, notarization, Debian package signing, and APT repository signing. |