Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When allowExitFunctions is set to false, we can use the loadWithNewGlobal function to invoke the exit and quit methods to exit the Java process. #135

Closed
isimple123 opened this issue Feb 13, 2023 · 5 comments

Comments

@isimple123
Copy link

When allowExitFunctions is set to false, we can use the loadWithNewGlobal function to invoke the exit and quit methods to exit the Java process.
Code and the POC:

NashornSandbox sandbox = NashornSandBoxes.create();
sandbox.allowLoadFunctions(true);
sandbox.allowExitFunctions(false);
// POC
sandbox.eval("loadWithNewGlobal({name:\"test.js\", script: \"exit(1);\"});");

Reported by liuxibin.

@mxro
Copy link
Collaborator

mxro commented Feb 16, 2023

Thank you for reporting the issue.

I guess this could be patched by overwriting the loadWithNewGlobal variable?

@isimple123
Copy link
Author

CVE-2023-26919
Thank you.

@mxro
Copy link
Collaborator

mxro commented Apr 6, 2023

The load function is very powerful. Therefore it is disabled by default.

However, enabling the load function will allow overriding the security defaults. Therefore, it would be recommended to NOT enable the load function.

I don't think it will be possible to protect the context introduced in the new scripts created with the load function.

As said, the solution for this exposure not to occur, is simply not to allow the load function.

@mxro mxro closed this as completed Apr 6, 2023
@isimple123
Copy link
Author

We have to turned off the loadWithNewGlobal method by executing var loadWithNewGlobal=function(){},but kept the load method.If the allLoadWithNewGlobal parameter can be added, security risks can be reduced. Thank you.

@mxro
Copy link
Collaborator

mxro commented Apr 21, 2023

Thank you for getting back @isimple123!

Sorry I don't quite understand - would be great if you could clarify some more for me.

When you say,

executing var loadWithNewGlobal=function(){}

do you mean you are running this in your own scripts. Does setting sandbox.allowLoadFunctions(false); not work?

For

If the allLoadWithNewGlobal parameter can be added

Where should this parameter be added? Or should this be defined for a new method.

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants