New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: node's VM module doesn't prevent you from accessing the node stdlib #5
Comments
|
Hi the author, The library is great. And is there any plan to fix this issue? |
|
Fixed in |
|
this page doesn't say so https://www.npmjs.com/advisories/337 |
|
Hey @SuperOP535 -- original reporter here :) I tried reproducing the issue with: and it looks like safe-eval 0.4 fixes it. Not sure how the NPM advisories work, as it should probably be closed. |
|
Unfortunately the sanitisation in 7051474 is not sufficient to close the hole. I have sent a proof-of-concept to @hacksparrow by email. The new exploit (like the one reported by @odino) is fragile, and there are many trivial ways to break it, but in general any access by the eval-ed code to any object from the caller's realm (e.g., if any object is passed in via I would advise using vm2 instead. (Please note that I have not audited the code of vm2, so can make no representations about its correctness—but at least its author appears to fully understand the issues.) |
As simple as:
This should be mentioned in the readme, as the VM isn't so safe and people might instead think this prevents any kind of attack :)
Ref: patriksimek/vm2#59
The text was updated successfully, but these errors were encountered: