Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add section about security in WASM to the FAQ
See original GitHub issueIn security settings, through HTML injection, it would be possible to obtain information related to the host that has the py-script resources.
<html>
<head>
<link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
<script defer src="https://pyscript.net/alpha/pyscript.js"></script>
</head>
<body>
<py-script>
print("+-----------------------------------------+")
print('[+] PoC py-script')
print("+-----------------------------------------+")
import os
print("[+] Make dir and list")
os.mkdir('blueteam')
os.mkdir('poc')
os.mkdir('jhere')
os.listdir(os.getcwd())
</py-script>
<py-script>
print("+-----------------------------------------+")
print("[+] Print user loged")
print("+-----------------------------------------+")
os.getlogin()
</py-script>
<py-script>
print("+-----------------------------------------+")
print("[+] OS information")
print("+-----------------------------------------+")
os.uname()
</py-script>
</body>
</html>
Output:
+-----------------------------------------+
[+] PoC py-script
+-----------------------------------------+
[+] Make dir and list
['blueteam', 'poc', 'jhere']
+-----------------------------------------+
[+] Print user loged
+-----------------------------------------+
web_user
+-----------------------------------------+
[+] OS information
+-----------------------------------------+
posix.uname_result(sysname='Emscripten', nodename='emscripten', release='1.0', version='#1', machine='wasm32')
Issue Analytics
- State:
- Created a year ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Security - WebAssembly
The security model of WebAssembly has two important goals: (1) protect users from buggy or malicious modules, and (2) provide developers with useful...
Read more >Explain security · Issue #205 · WebAssembly/design - GitHub
WebAssembly's security model aims at protecting users from buggy or malicious .wasm files. This doesn't help developers write secure ...
Read more >ASP.NET Core Blazor WebAssembly additional security ...
Learn how to configure Blazor WebAssembly for additional security scenarios.
Read more >Security Chasms of WASM - Black Hat
This function is then exported with the name ''add''. Now that we have an exported WebAssembly function, we need to compile it into...
Read more >How to Secure Blazor WASM Applications with Auth0
You added the call to AddOidcAuthentication() with specific options. In particular, you specified using the parameters from the Auth0 section of ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yes, it’s all client-side inside the WASM VM. What you are seeing is the in-memory file system provided by Emscripten. So there is no security issue, you can’t escape the browser sandbox.
This is showing details about the WASM runtime on the client, not the host. There is a small virtual filesystem that resides in the WASM runtime, which is what your
listdir()shows.Am I missing something?