User can escape the sandbox language #29
Comments
jcubic
changed the title
|
Another example is using constructor (after adding methods): x = location.constructor.constructor("alert('x')")
x() |
|
Here is hacked eval function: def eval(str)
let fn = location.constructor.constructor("return $str")
return fn()
end
let factorial = eval("(function(n) {
return Array.from({length: n}, (_, i) => i + 1).reduce((a,b) => a * b, 1);
})")
echo factorial(10) |
|
I think that it will be not possible to protect the language, constructor can't be blacklisted because user can get the property dynamically: def eval(str)
let constructor = location["constructor"]["constructor"]
let fn = constructor("return $str")
return fn()
endI think that if someone wants to hack the language it's ok, but with the original issue of the template literal, the user can inject the code into the developer game. Which can be a problem and security. |
jcubic
added a commit
that referenced
this issue
Feb 14, 2022
|
Actually previous example will not work, because Gaiman don't support mutlline strings: This code that currently works: let code = <<<CODE
(function(n) {
return Array.from({length: n}, (_, i) => i + 1).reduce((a,b) => a * b, 1);
})
CODE
let factorial = eval(code)
echo factorial(10) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is valid and it's interpreted by gaiman, and it's executed. This is potential XSS.
Reported upstream estools/escodegen#448
The text was updated successfully, but these errors were encountered: