Closed Shnatsel closed 5 months ago
Gave this a shot with a fairly standard template component, it looks like the embedding works but cargo-audit
might not have Wasm support. https://github.com/brooksmtownsend/cargo-auditable-wasmcloud
It's also possible I'm not using cargo audit
properly 😄
Indeed, cargo audit
doesn't support WASM yet. That will also have to be implemented.
Back when I was writing cargo auditable
, I've found that the libraries for extracting data did not handle untrusted input particularly well - they could allocate unbounded amounts of memory, and also panicked on certain inputs. Because of that I've written https://github.com/Shnatsel/binfarce, which cannot have such failure modes by design.
I'm not sure how robust the wasmparser
crate is. It seems to be doing a whole lot more parsing than what we actually need, presenting a rather big attack surface. I don't know how resilient it is to untrusted input; I don't see any indication that the parser has been fuzzed, for example.
It shouldn't be hard to extend binfarce
to also parse WASM custom sections, if wasmparser
proves unsuitable.
Well, it seems wasmparser
actually was designed for parsing untrusted input - it is dealing with WASM after all. Fuzzing it didn't seem to turn up any issues. There is one unsafe
block but there is no way to express that in safe code, and it appears to be correct. I think I'll be able to wire it up to the extraction pipeline.
The part I am not thrilled about is that I can no longer guarantee absence of heap allocations and therefore absence of OOM denial-of-service if I use wasmparser
. Adding WASM support to binfarce
would avoid that.
I've added the extraction pipeline using wasmparser
. You can test it with rust-audit-info
in-tree.
IIRC cargo audit
will require a bit more work, but it is going to be quite trivial.
Sadly wasmparser
pulls in more dependencies than I would like: https://github.com/bytecodealliance/wasm-tools/issues/1528
It doesn't look like they're actually using them when the std
feature is enabled, so it might not be active attack surface - but it's weird to lug all this dead weight around, and complicate packaging for distributions.
TODO:
Fixes #53