From 9f130a3ef903ca7f3e7745291e8e0464110c7acd Mon Sep 17 00:00:00 2001 From: Thomas Linford Date: Mon, 2 Oct 2023 10:42:30 +0200 Subject: [PATCH] fix(plugins): address potential security issue (#2830) * set static_memory_bound to 0 * add explanatory comment --- zellij-server/src/lib.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/zellij-server/src/lib.rs b/zellij-server/src/lib.rs index bfacbad73f..8cb05c8e80 100644 --- a/zellij-server/src/lib.rs +++ b/zellij-server/src/lib.rs @@ -910,8 +910,17 @@ fn init_session( #[cfg(not(feature = "singlepass"))] fn get_store() -> Store { + use wasmer::{BaseTunables, Cranelift, Engine, Pages, Target}; log::info!("Compiling plugins using Cranelift"); - Store::new(wasmer::Cranelift::default()) + + // workaround for https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8 + let mut tunables = BaseTunables::for_target(&Target::default()); + tunables.static_memory_bound = Pages(0); + let compiler = Cranelift::default(); + let mut engine: Engine = compiler.into(); + engine.set_tunables(tunables); + + Store::new(engine) } #[cfg(feature = "singlepass")]