Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre-check wasm before compiling #50

Closed
2 of 3 tasks
ethanfrey opened this issue Oct 27, 2019 · 3 comments · Fixed by #108
Closed
2 of 3 tasks

Pre-check wasm before compiling #50

ethanfrey opened this issue Oct 27, 2019 · 3 comments · Fixed by #108
Assignees
@ethanfrey
Labels
Security Close potential security issue (required before production)

Comments

@ethanfrey
Copy link
Member

ethanfrey commented Oct 27, 2019
edited
Loading

Let's filter out some stuff before passing it to the backend:

  • valid wasm (magic number)
  • no floating point ops (wasm-parser can do that)
  • check signatures of imports/exports - validate before attempting to instantiate

others??
@ethanfrey
Copy link
Member Author

We can use wasmparser to get some info on the wasm.

This is used in a wasmer PR.

When iterating over all operators, you can force error on any floating point ops

@ethanfrey ethanfrey added the Security Close potential security issue (required before production) label Dec 17, 2019
@ethanfrey ethanfrey mentioned this issue Dec 20, 2019
Merged
@ethanfrey
Copy link
Member Author

For validating imputs, we can use this library: https://docs.rs/wasm-nm/0.2.1/wasm_nm/fn.symbols.html as a pre-processing step

Get the list of imports and exports. Assert the following exports are all present:

query
init
handle
allocate
deallocate

Ensure that no more than the following imports are required:

i c_read
i c_write
i c_canonical_address
i c_human_address

@workshub
Copy link

workshub bot commented Jan 13, 2020

This issue is now published on WorksHub. If you would like to work on this issue you can
start work on the WorksHub Issue Details page.

@ethanfrey ethanfrey self-assigned this Jan 13, 2020
@ethanfrey ethanfrey mentioned this issue Jan 13, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ethanfrey ethanfrey

Labels
Security Close potential security issue (required before production)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check wasm public api before saving CosmWasm/cosmwasm
1 participant
@ethanfrey