I am quite new to WebAssembly and am trying to wrap my head around how it works.
From what I understand, one calls a WASM module in javascript and supplies arguments. I know that such arguments themselves are publicly viewable by the client because the invocation happens in the javascript.
Is it possible for an attacker to reverse engineer the WASM file (which for example is compiled from Rust) and view both (a) the function logic and (2) any private constants declared? If so, does that mean it is not safe to store secrets in a WASM file?
Thank you
Yes, it is possible to reverse engineer the code of a WASM file, like with other binaries. Contained logic and data/constants can be extracted. Hence, it is not safe to store secrets in WASM files, assuming the attacker has access to the WASM binary.
A tool that can be use is wasm2wat, which converts the wasm binary format to a human-readable text format.