Comments (14)
Ginden
commented on July 22, 2024
1
You can require('fs') or require('child_process') and do anything with full user permission (including dumping memory of application).
You can require('http') and overwrite prototypes to track requests.
Or anything else.
from jailed.
asvd
commented on July 22, 2024
1
On my opinion the performance impact is secondary as long as the sandbox is protected.
On security, I am only in doubt about getPrototypeOf() method which returns the prototype of an original object. Will need to check this.
from jailed.
lu4
commented on July 22, 2024
1
There's this library:
https://www.npmjs.com/package/vm2
They seem to resolve this issue through usage of proxies
from jailed.
gpascualg
commented on July 22, 2024
1
@lu4 that's basically what I did here: #37
It simply needs some exhaustive testing, which I sadly had no time to do (I checked the basic cases, ie. constructor, and it seemed to work).
from jailed.
zsf3
commented on July 22, 2024
1
is there any update on this issue?
from jailed.
asvd
commented on July 22, 2024
wow, thanks. will investigate
from jailed.
asvd
commented on July 22, 2024
What can one do here with the require() by the way? The point of the sandbox is to protect the main application.
from jailed.
gpascualg
commented on July 22, 2024
@Ginden Could you test #37 and see if any other method of breaking it exist?
@asvd You could also do constructor('return global') and would have much more than require alone. Let me know if I can do something else on the PR ;)
from jailed.
asvd
commented on July 22, 2024
Actually I was thinking about running a subprocess in a chrooted environment, and use an OS-level communication channel to avoid shared objects between parent and child processes :-)
from jailed.
gpascualg
commented on July 22, 2024
If that subprocess was NodeJS, you would still have access to require, and that basically means to the complete system. The application itself would be safe, of couse, but it would still leave the system open I believe.
Btw, the proposed solution might have some perfomance impact, as it is creating Proxies at each call, Maybe keeping them in a dictionary or something alike would be best (I don't have the time now to do it, maybe in a few days).
from jailed.
gpascualg
commented on July 22, 2024
Yes, I indeed haven't had time to test it. I barely tested the constructor based exploit. Some more extensive tests should be done. I might be able to do them in 1-2 weeks.
from jailed.
Ginden
commented on July 22, 2024
Maybe you should reuse/fork Google Caja for this?
from jailed.
asvd
commented on July 22, 2024
Caja is a separate project which works very differently (parses and evaluates code by itself). Users may choose it instead of Jailed of course.
from jailed.
tommitytom
commented on July 22, 2024
Any potential solution to this issue been discovered?
from jailed.
Related Issues (20)
- unable to find application object
- Dom manipulation in jailed HOT 1
- Write code without application.remote HOT 2
- Just tried the base example - Getting permission issue HOT 5
- Why is the Web Worker inside an iframe? HOT 4
- Exposing values from the app to the jailed worker. HOT 1
- Best way to pass large data set into jailed script (browser)?
- Cannot read property 'whenEmitted' of undefined
- Add setting for "fallback to iframe jailing only" functionality, and timeout value
- Improve Jail Isolation via Content-Security-Policy HOT 1
- CVE-2022-23923 HOT 2
- Pass values to jailed code HOT 2
- Passing interface with sub functions not working
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jailed.