fix(plugins): address potential security issue (#2830)

* set static_memory_bound to 0 * add explanatory comment
2024-11-25 23:33:08 +03:00 · 2023-10-02 10:42:30 +02:00 · 2023-10-02 10:42:30 +02:00 · 9f130a3ef9
commit 9f130a3ef9
parent 7ccefc0d6c
1 changed files with 10 additions and 1 deletions
--- a/zellij-server/src/lib.rs
+++ b/zellij-server/src/lib.rs
@ -910,8 +910,17 @@ fn init_session(

 #[cfg(not(feature = "singlepass"))]
 fn get_store() -> Store {
+    use wasmer::{BaseTunables, Cranelift, Engine, Pages, Target};
    log::info!("Compiling plugins using Cranelift");
-    Store::new(wasmer::Cranelift::default())
+
+    // workaround for https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8
+    let mut tunables = BaseTunables::for_target(&Target::default());
+    tunables.static_memory_bound = Pages(0);
+    let compiler = Cranelift::default();
+    let mut engine: Engine = compiler.into();
+    engine.set_tunables(tunables);
+
+    Store::new(engine)
 }

 #[cfg(feature = "singlepass")]