Summary
The SSHConfig struct serializes the password field to the frontend, unlike ConnectionProfile.password which correctly uses #[serde(skip_serializing)]. SSH tunnel passwords are sent to the DOM.
Location
src-tauri/crates/mas-core/src/models/connection.rs:72-74
pub struct SSHConfig {
pub enabled: bool,
pub host: String,
pub port: u16,
pub username: String,
pub auth_method: SSHAuthMethod,
pub password: Option<String>, // Sent to frontend - no skip_serializing
pub private_key_path: Option<String>,
pub passphrase: Option<String>, // Also sent to frontend
}Compare with ConnectionProfile which correctly hides the password:
pub struct ConnectionProfile {
// ...
#[serde(skip_serializing)]
pub password: String, // Correctly hidden from frontend
}Impact
- SSH credentials are sent over IPC and exist in the JavaScript frontend memory
- An XSS vulnerability would expose SSH tunnel passwords in plaintext
- The private key passphrase is also leaked to the frontend
Fix
Add #[serde(skip_serializing)] to password and passphrase fields in SSHConfig.
Summary
The
SSHConfigstruct serializes thepasswordfield to the frontend, unlikeConnectionProfile.passwordwhich correctly uses#[serde(skip_serializing)]. SSH tunnel passwords are sent to the DOM.Location
src-tauri/crates/mas-core/src/models/connection.rs:72-74Compare with
ConnectionProfilewhich correctly hides the password:Impact
Fix
Add
#[serde(skip_serializing)]topasswordandpassphrasefields inSSHConfig.