Fix security: enable CSP and eliminate shell injection in entrypoint

- Enable restrictive Content Security Policy in tauri.conf.json instead of null (disabled), restricting scripts/connects to self + Tauri IPC - Fix shell injection in entrypoint.sh by replacing su -c with direct git config --file writes, preventing names with quotes (e.g. O'Brien) from breaking startup or enabling code execution Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-28 20:43:04 +00:00
parent 03e0590631
commit 265b365f0b
2 changed files with 5 additions and 4 deletions
--- a/app/src-tauri/tauri.conf.json
+++ b/app/src-tauri/tauri.conf.json
@@ -22,7 +22,7 @@
      }
    ],
    "security": {
-      "csp": null
+      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: https://asset.localhost; font-src 'self' data:; connect-src 'self' ipc: http://ipc.localhost"
    }
  },
  "bundle": {