Calling a context function's constructor will evaluate arbitrary code outside of the sandbox

rehanift / engine.js

A scriptable task engine

MIT License

23 stars 4 forks source link

Calling a context function's constructor will evaluate arbitrary code outside of the sandbox #6

Closed rehanift closed 12 years ago

rehanift commented 12 years ago

Start server with node script/server.js then run

var engine = require("engine.js").engine;

var client = engine.client.create();

var task = client.createTask();
task.setContext('(function(){ return {} })');
task.setCode("console.log(console.log.constructor('return process')())");
task.setLocals({});

task.on('eval', function(data){
    console.log(data);
});

task.on('output', function(data){
    console.log(data);
});

task.run();

rehanift commented 12 years ago

I believe this was fixed but never closed.

When I try running this now the the returned eval response is SecurityError: The Function constructor may not be called

There is a test verifying this behavior @ https://github.com/rehanift/engine.js/blob/master/spec/end-to-end/security_spec.js#L64