-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding a security warning? #53
Comments
Personally I expected this from this library, I hope nobody expects otherwise. I even skip the type checking wrapper and call the native functions directly. One of the reasons I use this lib instead of Electron or NW.js is to avoid all the security overhead. Headless-gl may be what you're looking for. It's much more WebGL compilant, although I don't know if it's possible to render to a window with it. |
Well given the first line in the readme is
Yes, I'd expect people to think it's actually WebGL. That it's secure and compatible. Thanks for the suggestion of headless-gl. That said, the point of this issue is really probably that the readme should change. It should change to say this is not WebGL and it's also insecure. |
I agree, it's misleading. Consider making a pull request that updates the readme. I'll eventually send a pull request for adding more strict and more lax checking, for both use cases (performance, and security + debugging). |
headless-gl doesn't render, and it is slow (no GPU?), and is for integration testing. It'd be awesome to have a standalone WebGL implementation (security features and everything), for use outside a browser. |
node-webgl was my intent to run webgl code using node in a cross-platform manner, but also allow for explorations of features not possible with webgl. Some of these features came later as the specs progressed and I have to check if the syntax is correct.
When it comes to security, no that wasn’t my goal. My goal was performance and I let security aside to later if it was really requested. I must say that’s the first time in years that this is asked. The code tries to do lots of checks to avoid robustness issues but when I wrote it, many GPU didn’t have robustness features described in the standard.
Anyway, the goal of node-webgl is not to be a browser. It has always been a library to help developers create their applications quickly and to run them on server.
On Jul 27, 2017, at 10:48 PM, Joseph Orbegoso Pea <[email protected]<mailto:[email protected]>> wrote:
Headless-gl may be what you're looking for. It's much more WebGL compilant, although I don't know if it's possible to render to a window with it.
headless-gl doesn't render, and it is slow (no GPU?), and is for integration testing<stackgl#114 (comment)>.
…________________________________
It'd be awesome to have a standalone WebGL implementation (security features and everything), for use outside a browser.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#53 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAxYLLArAxKqjCbpLyeZ6mECTTj4I0mJks5sSXYrgaJpZM4KGXYa>.
|
WebGL takes pretty extreme steps to prevent data leakage and other security issues.
It clears all memory allocated by GL. It checks for all out of bounds conditions. It also re-writes all shaders to make sure they don't exceed certain limits.
node-webgl seems to do none of this. This seems like a pretty big security issue
Whether it's user shaders (like if you wanted to render shadertoy images on the server) or even textures and geometry data. If texture sizes are set by the user it could be easy to overwhelm the driver. If user indexed geometry is passed in it would allow reading all of GPU (and possibly CPU) memory by passing in out of range indices.
Example: call
gl.texImage2D
with null then render the texture and callgl.readPixels
or just add the texture to a framebuffer and callgl.readPixels
. In either case you'll get uninitialized memory the contents of which could be passwords, ssh keys, photos, or other user data.A bug in your GL code that seems to be working might actually be exposing uninitialized data
Another examples is client side arrays. WebGL doesn't allow them but node-webgl doesn't check which means attributes can read random places in memory.
With enough care it's certainly possible to use node-webgl for some use cases but I'm just wondering should there be some large warning in the README about these issues? I'd expect lots of devs to be unaware of them and just blindly add node-webgl to their project.
The text was updated successfully, but these errors were encountered: