• 2 Posts
  • 12 Comments
Joined 1 year ago
cake
Cake day: June 11th, 2023

help-circle

  • There was a recent related discussion on Hacker News and the top comment discusses why this sort of solution is not likely to be the best fit for smaller organizations. In short, doing it well requires time and effort from someone technically sophisticated, who must do more than the bare minimum for good results, as you just learned.

    Even then, it’s likely to be less reliable than solutions hosted by big corporations and when there’s a problem, it’s your problem. I don’t want to discourage you, but understand what you’re committing to and make sure you have adequate buy-in in your organization.



  • That’s a valid point, though it looks like Popfile’s installation instructions call for manually installing libraries, presumably current ones. I think it processes only text, not PDFs or images, which are traditional sources of vulnerabilities. I’m fairly certain it doesn’t attempt to execute Javascript. It is, itself written in Perl, which is memory-safe.

    It’s worth considering security because there’s so much malware out there trying to spread indiscriminately, but Popfile is less vulnerable than an Android app (which bundles its dependencies) or anything written in C (which is subject to all kinds of memory management bugs).










  • Solved-ish.

    I got webpack to run reliably by replacing its use of md4 with sha256 in these files:

    $ grep -r md4 node_modules/webpack
    node_modules/webpack/lib/ModuleFilenameHelpers.js:      const hash = createHash("md4");
    node_modules/webpack/lib/optimize/ConcatenatedModule.js:                const hash = createHash("md4");
    node_modules/webpack/lib/optimize/SplitChunksPlugin.js:         .createHash("md4")
    node_modules/webpack/lib/NamedModulesPlugin.js: const hash = createHash("md4");
    node_modules/webpack/lib/SourceMapDevToolPlugin.js:                                                             contentHash: createHash("md4")
    node_modules/webpack/lib/WebpackOptionsDefaulter.js:            this.set("output.hashFunction", "md4");
    node_modules/webpack/lib/HashedModuleIdsPlugin.js:                              hashFunction: "md4",
    

    then in `config/initializers/content_security_policy.rb’, I replaced the line

    .script_src :self, assets_host, "'wasm-unsafe-eval'"

    with

    p.script_src :self, assets_host, "'wasm-unsafe-eval' 'unsafe-eval'"

    This seems like way more tinkering with the code and defaults than I should need to keep the server running so I’ll probably dig more later. I hope this post ends up being useful to anyone else having an issue.