Closed garymathews closed 1 year ago
I am not certain to add this as there might be other instances where properties should be able to be changed and maintaining this list is cumbersome.
As a workaround it is possible to expose the url.URL
into the sandbox before it is required. The access type is given the first time the object is exposed. In this case URL
will only be accessible as protected for the runtime of the sandbox.
However, care should be taken with protect
as it allows for prototype pollution.
const vm = new NodeVM(...);
vm.protect(url.URL);
vm.run('your code');
I found that attempting to set the
search
property of a URL object does not work due to being forced as readonly. This property should be writable (see https://nodejs.org/api/url.html#urlsearch)Possible solution; not sure if this is safe?
lib/resolver-compat.js