fix(plugins): address potential security issue (#2830)

* set static_memory_bound to 0 * add explanatory comment
zellij-org · Oct 2, 2023 · 9f130a3 · 9f130a3
1 parent 7ccefc0
commit 9f130a3
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/zellij-server/src/lib.rs b/zellij-server/src/lib.rs
@@ -910,8 +910,17 @@ fn init_session(
 
 #[cfg(not(feature = "singlepass"))]
 fn get_store() -> Store {
+    use wasmer::{BaseTunables, Cranelift, Engine, Pages, Target};
     log::info!("Compiling plugins using Cranelift");
-    Store::new(wasmer::Cranelift::default())
+
+    // workaround for https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8
+    let mut tunables = BaseTunables::for_target(&Target::default());
+    tunables.static_memory_bound = Pages(0);
+    let compiler = Cranelift::default();
+    let mut engine: Engine = compiler.into();
+    engine.set_tunables(tunables);
+
+    Store::new(engine)
 }
 
 #[cfg(feature = "singlepass")]