Skip to content

--pre-js and --post-js options expose PII in full paths. #21084

@erikh2000

Description

@erikh2000

Please include the following in your bug report:

Version of emscripten/emsdk:

emcc (Emscripten gcc/clang-like replacement + linker emulating GNU ld) 3.1.51 (c0c2ca1314672a25699846b4663701bcb6f69cca)
clang version 18.0.0git (https://github.com/llvm/llvm-project f2464ca317bfeeedddb7cbdea3c2c8ec487890bb)
Target: wasm32-unknown-emscripten
Thread model: posix

Failing command line in full:
emcc --pre-js someFile.js --post-js someOtherFile.js helloWorld.c -o helloWorld.js

When JS files are included there is a helpful set of comments showing where the source came from. It looks like this:

// include: /Users/user-account-name/path/to/source/someFile.js
console.log('Doing something in my pre-JS.`);
// end include: /Users/user-account-name/path/to/source/someFile.js

This isn't a giant security flaw, but I really don't want my user name of information about the paths on my local filesystem in the source code. The code in question will be on an open source repository. I don't want it to be used as the basis of an attack. And also, even if I can do things easily to stay secure, my open source code might end up exposing somebody else's PII when they run a build.

My suggestion is that the path should by default output the exact path from the --pre-js or --post-js params. This might be an an absolute or relative path. It might even include the user's PII in the path, but in this case, the user would be explicitly causing it to happen.

Alternatively, a flag like "--output-no-paths" or something to suppress the output.

I'm new to emscripten, and half expect somebody to tell me I'm Doing It Wrong. No worries if that is the case. I'm trying to be constructive.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions