Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--pre-js/--post-js leak local path information (potentially security-relevant) in their output #21477

Closed
sgbeal opened this issue Mar 6, 2024 · 2 comments
Closed

--pre-js/--post-js leak local path information (potentially security-relevant) in their output #21477

sgbeal opened this issue Mar 6, 2024 · 2 comments

Comments

@sgbeal
Copy link

sgbeal commented Mar 6, 2024
edited
Loading

Version of emscripten/emsdk:

$ emcc -v
emcc (Emscripten gcc/clang-like replacement + linker emulating GNU ld) 3.1.55 (165133b1cc977f0b9a277e42ef809b823157189c)
clang version 19.0.0git (https:/github.com/llvm/llvm-project 6c7805d5d186a6d1263f90b8033ad85e2d2633d7)
Target: wasm32-unknown-emscripten
Thread model: posix
InstalledDir: /home/stephan/src/emsdk/upstream/bin

Failing command line in full:
N/A

Full link command and output with -v appended:
N/A

When using --pre-js and friends, emcc is injecting lines into the output in the form:

// include: /path/to/input/file.js
// end include: /path/to/input/file.js

To the best of my recollection it did not always do this (i'm noticing it for the first time, in any case).

Example:

$ grep ' include:' jswasm/sqlite3-node.mjs | grep lite
// include: /home/stephan/f/s/lite/ext/wasm/bld/pre-js.sqlite3-node.js
// end include: /home/stephan/f/s/lite/ext/wasm/bld/pre-js.sqlite3-node.js
// include: /home/stephan/f/s/lite/ext/wasm/bld/post-js.sqlite3-node.js
// end include: /home/stephan/f/s/lite/ext/wasm/bld/post-js.sqlite3-node.js

The utility of having those lines in there is clear, but they're potentially security-relevant, leaking info about the build system which end users have no need to know. Every bit of leaked info about a system is a clue for potential attackers. In the case of my local system this is a non-issue, but there are plenty of sysadmins out there who are understandably more paranoid.

Edit: an example of how this is potentially security-relevant is that the paths above expose my login name to anyone reading the code. Not that that's a secret in my case, but it may well be in some users' cases.
@kripken
Copy link
Member

kripken commented Mar 6, 2024

See previous discussion in #21084 . To summarize, that is only present in debug builds, and debug builds can have a lot of other local information embedded in them anyhow.

Unless you are seeing this in a release build somehow? That would be a very different matter.

@sgbeal
Copy link
Author

sgbeal commented Mar 7, 2024

Fair enough! This is a debug build.

@sgbeal sgbeal closed this as completed Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kripken @sgbeal