-
Notifications
You must be signed in to change notification settings - Fork 295
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breakout with inspect #268
Comments
@patriksimek This issue is fixed in master, however the fix came with #242 which is after version 3.8.4. So mpn does not have this fix. |
This stays open until v3.8.5 is out. |
Do we have an ETA ? |
@jan-osch Since @patriksimek seems to be quite inactive, I don't know. |
@XmiliaH thank you for your answer and all the contributions! Do you think that such monkey-patched workaround will prevent the breakout until we have an updated version published? const vm = new NodeVM({
console: 'off',
sandbox: {
console: consoleInterface,
setTimeout,
print,
// TODO remove once vm2 fixed the breakout issue
// Reference: https://github.com/patriksimek/vm2/issues/268
Buffer: {
...Buffer,
prototype: new Proxy(Buffer.prototype, {
get(object, property) {
if (property === 'inspect') {
return () => {
console.log('[BREAKOUT_ATTEMPT]'); // eslint-disable-line no-console
consoleInterface.error('Nice try! This breakout attempt will be reported');
};
}
return object[property];
},
}),
},
},
require: { // here define modules that can be required
builtin: [
// some list
],
external: [
//...
],
},
});
return vm.run(code, SCRIPT_PATH); |
@jan-osch Thats not a good soultion:
Unfortunately there is no easy solution. |
Here is a temporary poorly tested hacky fix: function hacky_fix(vm) {
const internal = vm._internal;
const old = internal.Decontextify.object;
const handler = {__proto__: null};
internal.Decontextify.object = (object, traps, deepTraps, flags, mock) => {
const value = old(object, traps, deepTraps, flags, mock);
const better = new Proxy(value, handler);
internal.Decontextify.proxies.set(object, better);
internal.Contextify.proxies.set(better, object);
return better;
};
} It patches internal functions, so use with care. |
Thank you @XmiliaH! Do you know any project with a test suite for such breakout cases? I would like to add some breakout tests to my CI as an early warning system |
We have some testcases in test/vm.js. Just search for attack and you will find the cases. |
friendly reminder @patriksimek would be awesome if you could release a new version. |
@mxschmitt Just released as 3.9.0. I'm sorry for the delay. |
The following code can be used to escape the vm, and for example execute command in shell.
It has been already reported in #187 here, it still works on node 13.6.0 and vm2 v3.8.4
The text was updated successfully, but these errors were encountered: