Skip to content

[CVE-2017-16088] Sandbox Breakout (Critical Security Fix) - context clear#15

Open
kaue wants to merge 12 commits into
hacksparrow:masterfrom
kaue:patch-2
Open

[CVE-2017-16088] Sandbox Breakout (Critical Security Fix) - context clear#15
kaue wants to merge 12 commits into
hacksparrow:masterfrom
kaue:patch-2

Conversation

@kaue
Copy link
Copy Markdown
Contributor

@kaue kaue commented Dec 15, 2018

No description provided.

kaue added 12 commits November 15, 2018 18:28
@kaue
make sure context is clear
ec7fbe8
@kaue
should not have access to Node.js objects
fe8a6d3
@kaue
lint
00bbe3c
@kaue
0.4.2
39d8ef6
@kaue
should not have access to Node.js objects using Object.getPrototypeOf…
8f6233a 
… (CWE-265)
@kaue
should not have access to Node.js objects using Object.getPrototypeOf…
fb2c12d 
… with context (CWE-265)
@kaue
should check prototype also
b7ef089
@kaue
lint
d23c1fe
@kaue
lint
399293f
@kaue
stop using template string for clearContext function
40a159f
@kaue
CVE-2017-16088 make sure context is clear
e34bc16 
should not have access to Node.js objects
lint
0.4.2
should not have access to Node.js objects using Object.getPrototypeOf (CWE-265)
should not have access to Node.js objects using Object.getPrototypeOf with context (CWE-265)
should check prototype also
lint
lint
stop using template string for clearContext function
@kaue
squash
9d083c2
@ChrisCinelli
Copy link
Copy Markdown

ChrisCinelli commented Dec 29, 2018

Why is this not merged and released? I reported to the npm team.

@hacksparrow
Copy link
Copy Markdown
Owner

hacksparrow commented Dec 29, 2018

@ChrisCinelli Function = undefined. We can't overwrite a global object.

@ChrisCinelli
Copy link
Copy Markdown

ChrisCinelli commented Dec 29, 2018

@kauegimenes :
You could also add this test to verify that #12 is fixed:

  it("should not modify Object's constructor", function () {
    var evaluatedBefore = Object.getOwnPropertyDescriptor(Object, 'constructor')
    console.log(evaluatedBefore)
    assert(evaluatedBefore === undefined)
    safeEval('42')
    var evaluatedAfter = Object.getOwnPropertyDescriptor(Object, 'constructor')
    console.log(evaluatedBefore)
    assert(evaluatedAfter === undefined)
  })

@ChrisCinelli ChrisCinelli mentioned this pull request Dec 29, 2018
Open
@ChrisCinelli
Copy link
Copy Markdown

ChrisCinelli commented Dec 29, 2018

Just added comments on #16. This only fixes one tiny vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaue @ChrisCinelli @hacksparrow