DioxusLabs
[SECURITY] Compiled Web Page Leaks Server Information
Problem
Hi, I have a very basic client side web page developed with dioxus. I've builded in release mode and serving my static page with nginx.
While reloading my web page it leaks file structure of my server, especially expose my server username because of unix file structure (you know /home/username strategy). This info messages coming from internal dioxus sources.
Steps To Reproduce
Steps to reproduce the behavior:
- Create a web page
- Build with release mode
- Serve with nginx
Expected behavior
These info messages shouldn't be there
Screenshots
I think you removed rebuilding trace in newer versions but starting up line still exists
Environment:
- Dioxus version: 0.5.6
- Rust version: 1.81.0
- OS info: Linux
- App platform: web
Questionnaire
I would like to fix and I have a solution
Thanks for reporting this!
I would definitely consider this a security concern when publishing an app. For Dioxus, however, I do think it's nice to have tracing for debugging, and it should be possible to filter out those traces in production with EnvFilter https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html
We may want to drop those levels to DEBUG 🤔
This looks very similar to https://github.com/DioxusLabs/dioxus/issues/2732. See that issue for suggestions about what flags you can apply to strip that information from the binary. I don't think removing all tracing logs is a reasonable solution here. You can disable them in user land if you need to or just remap the cargo path prefix to strip that info from release builds while retaining whatever logs you find useful
Since many people may forget to strip, I personally think that you should move all trace logs to debug version and keep release version clean.