Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code is viewable in production #426

Closed
masudhossain opened this issue Feb 29, 2024 · 10 comments
Closed

Code is viewable in production #426

masudhossain opened this issue Feb 29, 2024 · 10 comments
Labels
bug

Comments

@masudhossain
Copy link

I recently upgraded from webpacker and now my code is viewable in production when a user inspects it using chrome dev tools under Sources tab.

Expected behavior:

All code should be unreadable when a user inspects it using the inspect tool on chrome.

Actual behavior:

Actual code is 100% viewable.

Setup environment:

  • Ruby version:
  • Rails version:
  • Shakapacker version:
@tomdracz
Copy link
Collaborator

tomdracz commented Feb 29, 2024
edited
Loading

Can you elaborate on what you mean by code being viewable in production? It's client side code shipped to the browser so it's going to be viewable.

Do you mean it's not obfuscated? In this case, I presume your previous Webpacker config skipped source maps generation. Source maps enabled by default have been a thing for Webpacker/Shakapacker for quite a while (ref rails/webpacker#1918)

In production by default code is minified by source maps are provided for ease of debugging. If you wish to skip their generation, see below on amending default webpack configuration
https://github.com/shakacode/shakapacker/blob/main/README.md#webpack-configuration
and set devtool option to false, ref

shakapacker/package/environments/production.js

Line 48 in 2aa5a8e

devtool: 'source-map',

In general, this isn't a bug and I think fairly reasonable default given the discussion rails/webpacker#769 (comment)

@masudhossain
Copy link
Author

masudhossain commented Mar 2, 2024
edited
Loading

Can you elaborate on what you mean by code being viewable in production? It's client side code shipped to the browser so it's going to be viewable.

Do you mean it's not obfuscated? In this case, I presume your previous Webpacker config skipped source maps generation. Source maps enabled by default have been a thing for Webpacker/Shakapacker for quite a while (ref rails/webpacker#1918)

In production by default code is minified by source maps are provided for ease of debugging. If you wish to skip their generation, see below on amending default webpack configuration https://github.com/shakacode/shakapacker/blob/main/README.md#webpack-configuration and set devtool option to false, ref

shakapacker/package/environments/production.js

Line 48 in 2aa5a8e

devtool: 'source-map',

In general, this isn't a bug and I think fairly reasonable default given the discussion rails/webpacker#769 (comment)

So what i mean is that my code is visible and readable under sources.
image

And yes, I want to obfuscated it so code is completely unreadable. I feel having it be readable is a big security risk.

Sorry, I don't see where in that link it shows how to enable obfuscated code.

Also, I used shakacode/react_on_rails to migrate from webpacker to shakapacker, so i do not have a devtool: 'source-map' in production.js file.

But i do have this below. Which i'm guessing i should change eval to none?
https://github.com/shakacode/react_on_rails/blob/07b2b7c7403c0d5852b0c5d9679d5e9bf2b0f609/spec/dummy/config/webpack/serverWebpackConfig.js#L105

@tomdracz
Copy link
Collaborator

tomdracz commented Mar 2, 2024

Ah yes, that looks like source maps being enabled.

Linked readme shows how to customize the webpack config so you will need to adapt it to your own use-case. In your case it could be something like below:

const { generateWebpackConfig } = require('shakapacker')

const options = {
  devtool: false
}

module.exports = generateWebpackConfig(options);

I'm not sure about the server config file but similar should apply so if you have line like that you would change it to serverWebpackConfig.devtool = false

Regarding the security risk - I think that one is up for debate, lots of arguments on that have happened over the years. Ultimately the obfuscation only gets you so far.

I do believe though that source maps enabled are a sensible default and would rather retain them. The behaviour here is not a bug but maybe needs to be spelled out bit better. Thoughts @Judahmeek @justin808 @G-Rath ?

@G-Rath
Copy link
Contributor

G-Rath commented Mar 2, 2024

Yeah this isn't a bug or a security issue - you should assume that anything client side is public; note too that neither webpacker or shakapacker provide obfuscation, they provide minification which has a side effect of making it harder to read code but it's very different from obfuscation whichll typically give a bigger output due to using long form string concats etc.

I'm not at my laptop right now but also pretty sure devtools even has a message at the bottom about it using sourcemaps.

I don't think that any particular documentation changes are needed since this is using standard webpack config 🤷‍♂️

@tomdracz
Copy link
Collaborator

tomdracz commented Mar 5, 2024

Closing as per discussion above

@tomdracz tomdracz closed this as not planned Won't fix, can't repro, duplicate, stale Mar 5, 2024
@masudhossain
Copy link
Author

Ah yes, that looks like source maps being enabled.

Linked readme shows how to customize the webpack config so you will need to adapt it to your own use-case. In your case it could be something like below:

const { generateWebpackConfig } = require('shakapacker')

const options = {
  devtool: false
}

module.exports = generateWebpackConfig(options);

I'm not sure about the server config file but similar should apply so if you have line like that you would change it to serverWebpackConfig.devtool = false

Regarding the security risk - I think that one is up for debate, lots of arguments on that have happened over the years. Ultimately the obfuscation only gets you so far.

I do believe though that source maps enabled are a sensible default and would rather retain them. The behaviour here is not a bug but maybe needs to be spelled out bit better. Thoughts @Judahmeek @justin808 @G-Rath ?

So it seems like doing serverWebpackConfig.devtool = false didn't enable obfuscation

@G-Rath
Copy link
Contributor

G-Rath commented Mar 14, 2024

Shakapacker does not provide obfuscation - if you want that, you'll need to configure it yourself via a custom webpack config

@masudhossain
Copy link
Author

Shakapacker does not provide obfuscation - if you want that, you'll need to configure it yourself via a custom webpack config

Is there any doc or guide to do this that I can humbly ask for

@G-Rath
Copy link
Contributor

G-Rath commented Mar 14, 2024

This section of the readme explains how to customize your webpack config - from there, you'll want to look into something like webpack-obfuscator

@Talha345
Copy link

Talha345 commented Jun 8, 2024

The following code works for me:

config/webpack/production.js

// The source code including full typescript support is available at: 
// https://github.com/shakacode/react_on_rails_demo_ssr_hmr/blob/master/config/webpack/production.js

const webpackConfig = require('./webpackConfig');
const webpack = require("webpack");

const productionEnvOnly = (_clientWebpackConfig, _serverWebpackConfig) => {
    // place any code here that is for production only

    // prevent source code from being visible in client's browser
    _clientWebpackConfig.devtool = 'nosources-source-map';
};

module.exports = webpackConfig(productionEnvOnly);

You can check all the available possible options at https://webpack.js.org/configuration/devtool/#production

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@G-Rath @tomdracz @masudhossain @Talha345