lotp icon indicating copy to clipboard operation
lotp copied to clipboard

Published 20 hours ago verified publisher icon boostsecurityio

[LOTP] Add webpack

Open allanlw opened this issue 10 months ago • 0 comments

Description of the LOTP tool

webpack is used for bundling javascript.

Files

Webpack will load configuration files in Javascript format of course (e.g. webpack.config.js)

What is less well known is that the webpack magic comments feature lets you execute code during compile time by adding comments to Javascript files.

Documentation

It has a note in the documentation saying

Do not compile untrusted code with webpack. It could lead to execution of malicious code on your computer, remote servers, or in the Web browsers of the end users of your application.

Config Files: https://webpack.js.org/configuration/

Magic Comments: https://webpack.js.org/api/module-methods/#magic-comments

Real-world example

https://gist.github.com/allanlw/9df6a260d689500c7e25cb9a56bdd54d I've verified it works on Webpack 5.91 (the current stable).

Additional notes

I would appreciate a credit if this is integrated, as I believe I discovered it (the note in the docs was added after I reported it on July 12th, 2020)

allanlw avatar Apr 17 '24 19:04 allanlw