Why does webpack warn not to compile untrusted code?

I am trying to understand how does this work in case of javascript. Webpack basically minifies the javascript when it says compiling I suppose. So in this case, how can some untrusted javascript code can lead to execution of malicious code through webpack on the server? A kind person in the javascript IRC channel told me this could be achieved using inline loader syntax. But I still don’t understand how this is possible.

For reference the warning displayed in the getting started page is this:

Do not compile untrusted code with webpack. It could lead to execution
of malicious code on your computer, remote servers, or in the Web
browsers of the end users of your application.

Ref: https://webpack.js.org/guides/getting-started/


More information:
There are 2 ways it can execute code, when being compiled (via loaders), and when being run. SSR would be the latter, if you compile code on your server the former. https://webpack.js.org/concepts/loaders/#inline allows you to specify a loader without it being in the webpack config, and loaders can run whatever they want.

Answer

A script that is being webpacked (and any script it includes) can run code when it is packed, and this is by design.

That warning was added after I sent an email into the npm security folks (request 86380) about webpack running code during the packing phase with this POC.

The trick is to abuse the “Magic Comments” feature documented here.

Just checked on current webpack 5.23.0 and this still works.

Apparently inline loaders are another abuse pathway. See: https://github.com/webpack/webpack/issues/10231

Leave a Reply

Your email address will not be published. Required fields are marked *