Bypass 003: Recursive eval

[kumavis]

Heh, hunting these down sure is fun.

eval('this')
//=> undefined
eval('eval')('this')
//=> [object Window]

http://natevw.github.io/evel/challenge.html#eval('eval')('this')

[kumavis]

the "use strict" directive ironically screws us here, blocking us from overwriting eval
This error is thrown "SyntaxError: Parameter name eval or arguments is not allowed in strict mode"

[kumavis]

Hmmm, this is a tough one

[natevw]

Confirmed that this was always an issue (since 43353b2 anyway) and is still fixed after my latest cleanup. Surprised I missed this originally.

What was happening here I think is explained by MDN's strict mode documentation:

Relatedly, if the function eval is invoked by an expression of the form eval(...) in strict mode code, the code will be evaluated as strict mode code. The code may explicitly invoke strict mode, but it's unnecessary to do so.

This bypass does the opposite: by invoking eval in a different form it avoids strict mode, which is a big no-no for our purposes as you demonstrated. You can see this also via function () { var e = eval; return e('this'); }().

So I think replacing _gObj.eval with evel is indeed the only mitigation, which is fine except it means the real eval might not be useable to fix #12 as I'd hoped.