Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update documentation on using custom Hermes builds #1241

Closed
matias-la opened this issue Jan 8, 2024 · 5 comments
Closed

Update documentation on using custom Hermes builds #1241

matias-la opened this issue Jan 8, 2024 · 5 comments

Comments

@matias-la
Copy link

Description

The Using a custom Hermes build in a React Native app documentation section hasn't been updated in a while. It dates back to the time when Hermes was shipped through a separate NPM package. But since the changes documented in Bundled Hermes occurred, this is no longer true and Hermes is bundled together with the react-native package. It isn't clear how it would be possible to run our application using a custom Hermes build.

Context about this request: we're running a security-sensitive RN app, so we'd like to apply some security hardening patches on top of the upstream Hermes version. But it's unclear how we'd be able to do this.

CC @cortinico
@tmikov
Copy link
Contributor

tmikov commented Jan 8, 2024
edited
Loading

IIRC, there is a way to tell RN to build Hermes from a different directory. I don't remember the details, but someone will probably chime in here.

BTW (and I don't know whether that is your use case), Hermes should not be used to run untrusted JS. For untrusted JS we have a security sandbox (which will make its way to GitHub soon).

@neildhar
Copy link
Contributor

neildhar commented Jan 9, 2024

Hey @matias-la, we've recently discussed this in facebook/react-native#38658. You should be able to follow the steps there to get Hermes building from source.

@cortinico cortinico mentioned this issue Feb 5, 2024
Closed
@matias-la
Copy link
Author

Thanks! We ended up using an approach similar to REACT_NATIVE_OVERRIDE_HERMES_DIR, but patching react-native so it downloads the source from a trusted source and verifies its integrity. Seems to be working fine for now.

facebook-github-bot pushed a commit that referenced this issue Feb 23, 2024
@neildhar @facebook-github-bot
Update integration docs for React Native (#1297) (#1297)
de780dc 
Summary:
Original Author: [email protected]
Original Git: 3d6e181
Original Reviewed By: cipolleschi
Original Revision: D53398699

Fixes #1241

Pull Request resolved: #1297

Pulled By: cortinico

Reviewed By: avp

Differential Revision: D54092042

fbshipit-source-id: c0a9f28be1345707ba308b2bd8af39804d06f5db
@leotm
Copy link

leotm commented Apr 22, 2024

so we'd like to apply some security hardening patches on top of the upstream Hermes version. But it's unclear how we'd be able to do this.

fwiw we're working on applying some security hardening patches (hardened JS / Secure EcmaScript) on top of the upstream Hermes version too via a shim (tracking here if interested or any overlap), to trust the JS is free from prototype pollution (then sandbox RN app dependencies next)

@leotm
Copy link

leotm commented Apr 22, 2024
edited
Loading

but patching react-native so it downloads the source from a trusted source and verifies its integrity. Seems to be working fine for now.

we had success this way too ^ thought might be worth mentioning in case anyone thinking about cherry picking static_h or hermes commits on top of your trusted source fork/repo, the change may not be backwards-compatible (we're working around this), but ofc Static Hermes will be when it ships

@leotm leotm mentioned this issue Apr 22, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update integration docs for React Native facebook/hermes
4 participants
@leotm @neildhar @tmikov @matias-la