[Interest] QML preprocessing

Alexander Ivash elderorb at gmail.com
Wed Apr 24 21:23:25 CEST 2019 

>> That's possible to do with qmake already, but you'll have to build
resource files manually via custom targets

Great! Where can I read about this? Is there any examples?

>> You can wrap this whole expression into function and replace that
>> function with empty one:

>> function printPasswordToDebug() {
>>  console.debug('password: ', someFunctionWhichReturnsPasswordFromProtectedStorage());
>> }

>> and replace printPasswordToDebug

Yeah, it could work in theory, but in practice there already a lot of
places which would require such a modification. This solution just
doesn't scale. Moreover, resulting binary will contain
string 'console.debug('password: ',
someFunctionWhichReturnsPasswordFromProtectedStorage());' (well, maybe
not if qml compiler was enabled).

ср, 24 апр. 2019 г. в 22:19, Alexander Ivash <elderorb at gmail.com>:
>
> ср, 24 апр. 2019 г. в 22:08, Konstantin Tokarev <annulen at yandex.ru>:
> >
> >
> >
> > 24.04.2019, 22:01, "Alexander Ivash" <elderorb at gmail.com>:
> > > What I really need is some 'plugin' to qmake which would allow to
> > > modify qml files on the fly before placing it into resources (but not
> > > touching them on filesystem!). In ideal world, yeah.
> >
> > That's possible to do with qmake already, but you'll have to build
> > resource files manually via custom targets
> >
> > >
> > > ср, 24 апр. 2019 г. в 21:51, Alexander Ivash <elderorb at gmail.com>:
> > >>  2Jerome:
> > >>
> > >>  The issue is that even if that function will be doing nothing, logging
> > >>  data (which might be sensitive) can be captured via hooks / dump
> > >>  analysis etc. I really need to pre-processes to eliminate not only
> > >>  function call but also function parameters completely. Think about
> > >>  this scenario:
> > >>
> > >>  console.debug('password: ',
> > >>  someFunctionWhichReturnsPasswordFromProtectedStorage());
> >
> > You can wrap this whole expression into function and replace that
> > function with empty one:
> >
> > function printPasswordToDebug() {
> >   console.debug('password: ', someFunctionWhichReturnsPasswordFromProtectedStorage());
> > }
> >
> > and replace printPasswordToDebug
> >
> > >>
> > >>  In this case even if console.debug will be replaced with empty
> > >>  function, 'someFunctionWhichReturnsPasswordFromProtectedStorage()'
> > >>  will be executed anyway and as the result password will appear
> > >>  somewhere in JS heap so after capturing dump it will be simpler to
> > >>  find it.
> > >>
> > >>  2Tomasz:
> > >>
> > >>  In fact I would love to use logging category, but only for debug
> > >>  builds. But I have some requirements to minimize risk of sensitive
> > >>  data leak via logging. And to make a life of reverse engineers a bit
> > >>  more complicated if you like. So ideally no logging-related functions
> > >>  (and their parameters too!) should be visible in release build.
> > >>
> > >>  ср, 24 апр. 2019 г. в 21:27, Jérôme Godbout <godboutj at amotus.ca>:
> > >>  >
> > >>  > Maybe you can overload the functor directly into the code and import the file only if in debug mode (optional module):
> > >>  > http://udidu.blogspot.com/2012/12/override-console-functions.html
> > >>  >
> > >>  > That could also be helpful to split the log into multiple receiver.
> > >>  >
> > >>  > Not sure if this would work, but maybe you can override the console.log command into the QQmlScriptEngine and define a new javascript function that does nothing. Maybe into the your main.cpp where you create the QQmlEngine you can call the rootContext() QQmlContext object, maybe you can extract the console object with QVariant contextProperty() and set the debug() property of it with a QQmlExpression, I cannot glue all this together, but maybe something into that direction could be done before you start loading the main qml file. This is far fetched by might work but it seem overcomplicated to me.
> > >>  >
> > >>  > -----Original Message-----
> > >>  > From: Interest <interest-bounces at qt-project.org> On Behalf Of Alexander Ivash
> > >>  > Sent: April 24, 2019 12:56 PM
> > >>  > To: interestqt-project.org <interest at qt-project.org>
> > >>  > Subject: [Interest] QML preprocessing
> > >>  >
> > >>  > I understand that this topic was raised a lot of times and that this is not QML-way. But, what options do I have in case of requirements to eliminate all the logging for release builds?
> > >>  >
> > >>  > Is there any hidden magic in qmake, like 'QMAKE_SUBSTITUTES' but more flexible to substitute all the 'console.debug....' with '// console.debug' right before adding qml into resources?
> > >>  >
> > >>  > p.s. Yea, I'm aware of selectors, but would like to avoid having both component-with-logging.qml and component-with-no-logging.qml
> > >>  >
> > >>  > Regards, Alexander
> > >>  > _______________________________________________
> > >>  > Interest mailing list
> > >>  > Interest at qt-project.org
> > >>  > https://lists.qt-project.org/listinfo/interest
> > >
> > > _______________________________________________
> > > Interest mailing list
> > > Interest at qt-project.org
> > > https://lists.qt-project.org/listinfo/interest
> >
> > --
> > Regards,
> > Konstantin
> >

More information about the Interest mailing list