There’s a big difference in the expected use of a file. If the file is attacker provided, and the fa...

ratorx • yesterday at 5:39 PM • 2 replies • view on HN

There’s a big difference in the expected use of a file. If the file is attacker provided, and the fallback path is being used, the attacker can embed whatever WASM payload they want into the file since the file will be “opened” by “execute this offset into the file”.

Compare that to JSON. The parser NEVER needs to execute arbitrary instructions. Parser might have bugs, but it avoids a whole class of issues.

Replies

gavinray • yesterday at 5:40 PM

  >  the attacker can embed whatever WASM payload they want into the file since the file will be “opened” by “execute this offset into the file”.

And then do what with it?

WASM physically cannot interact with the underlying host or perform I/O -- you need a WASI environment for that.

➕ show 1 reply

bguebert • yesterday at 6:54 PM

I mean json might not be the best example since for a long time people would run json through a javascript engine to parse it but I can see your point.

alt Hacker News

Replies