jruby-sandbox icon indicating copy to clipboard operation
jruby-sandbox copied to clipboard

Published 20 hours ago verified publisher icon omghax

Safe eval escapes sandbox

Open fooblahblah opened this issue 13 years ago • 1 comments
trafficstars

I'm able to circumvent the sandbox by using a referenced namespace/module. Here's an example:

jruby-1.6.7 :001 > require 'sandbox'
 => true 
jruby-1.6.7 :002 > Foo = Struct.new(:foo)
 => Foo 
jruby-1.6.7 :003 > sand = Sandbox::Safe.new
 => #<Sandbox::Safe:0x2221bcd5> 
jruby-1.6.7 :004 > sand.activate!
 => ["%", "*", "+", "<<", "<=>", "==", "=~", "capitalize", "capitalize!", "casecmp", "center", "chomp", "chomp!", "chop", "chop!", "concat", "count", "crypt", "delete", "delete!", "downcase", "downcase!", "dump", "each", "each_byte", "each_line", "empty?", "eql?", "gsub", "gsub!", "hash", "hex", "include?", "index", "initialize", "initialize_copy", "insert", "inspect", "intern", "length", "ljust", "lines", "lstrip", "lstrip!", "match", "next", "next!", "oct", "replace", "reverse", "reverse!", "rindex", "rjust", "rstrip", "rstrip!", "scan", "size", "slice", "slice!", "split", "squeeze", "squeeze!", "strip", "strip!", "start_with?", "sub", "sub!", "succ", "succ!", "sum", "swapcase", "swapcase!", "to_f", "to_i", "to_s", "to_str", "to_sym", "tr", "tr!", "tr_s", "tr_s!", "upcase", "upcase!", "upto", "[]", "[]="] 
jruby-1.6.7 :005 > sand.ref Foo
 => nil 
jruby-1.6.7 :006 > sand.eval 'Foo.eval "`ls /etc/passwd`"'
 => "/etc/passwd\n" 
jruby-1.6.7 :007 >

Shouldn't that be disallowed in the safe mode?

Note: Plain ls is not defined.

jruby-1.6.7 :007 > sand.eval '`ls`'
Sandbox::SandboxException: NoMethodError: undefined method ``' for main:Object
        from sandbox/SandboxFull.java:60:in `eval'
        from (irb):7:in `evaluate'
        from org/jruby/RubyKernel.java:1088:in `eval'
        from org/jruby/RubyKernel.java:1410:in `loop'
        from org/jruby/RubyKernel.java:1197:in `catch'
        from org/jruby/RubyKernel.java:1197:in `catch'
        from /home/jsimpson/.rvm/rubies/jruby-1.6.7/bin/jirb:17:in `(root)'
jruby-1.6.7 :008 >

fooblahblah avatar Jun 06 '12 16:06 fooblahblah

Good catch! We removed access to these from the FakeFS objects that are passed in, but we probably need some kind of a "clean" way to pass in objects to the sandbox that strips them of eval, class_eval and instance_eval.

adamfortuna avatar Nov 30 '13 18:11 adamfortuna