Guillem Pascual Guinovart
Guillem Pascual Guinovart
@Ginden Could you test #37 and see if any other method of breaking it exist? @asvd You could also do `constructor('return global')` and would have much more than require alone....
If that subprocess was NodeJS, you would still have access to `require`, and that basically means to the complete system. The application itself would be safe, of couse, but it...
Yes, I indeed haven't had time to test it. I barely tested the constructor based exploit. Some more extensive tests should be done. I might be able to do them...
@lu4 that's basically what I did here: https://github.com/asvd/jailed/issues/37 It simply needs some exhaustive testing, which I sadly had no time to do (I checked the basic cases, ie. constructor, and...
@asvd `application` is secured from the start, it is an exposed object. See that `get` also calls `secureObject` on the requested value, so when `whenConnected` is retrieved it is also...
I've extended what @taikuukaits said in https://github.com/asvd/jailed/issues/8#issuecomment-196088692 here: https://github.com/Push-EDX/jailed/commit/8664d322dcc663286e687753c1a8608af303100b It now allows you to do so: ``` plugin.whenFailed(function(e) { console.error(e.stack); }) ``` Basically, it is exported `stack`, `name` and `message`...
@asvd Oups, didn't test that part, I supposed it had been fixed too. Indeed, this would report any syntax error, but probably not a runtime exception on an async task....
@anderson- I had problems with `, error: e`, as both NodeJS and Chrome refused to copy the whole object. That is why in my branch I only copy `stack`, `name`...
Last time I checked, port forwarding was only available in the Windows Desktop version. Unless it has recently changed, it is not be possible to enable it in this service....
Any updates on this? I am quite interested in disable diagonal movement. I haven't got time enough to go through all the code yet, but I cold do so if...