Fix constructor exploit on NodeJS

asvd · Jul 3, 2016 · 170eee1 · 170eee1
1 parent 4d26cd2
commit 170eee1
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/lib/_pluginNode.js b/lib/_pluginNode.js
@@ -6,6 +6,8 @@
  * platform-dependent connection object for the plugin site
  */
 
+require('harmony-reflect')
+
 application = {};
 connection = {};
 
@@ -164,6 +166,26 @@ var executeNormal = function(code, url, sCb, fCb) {
     }
 }
 
+function secureObject(obj) {
+    if (typeof obj == "object" || typeof obj == "function") {
+        return new Proxy(obj, {
+            get: function(target, key, receiver) {
+                if (key === 'constructor') return secureObject(Object);
+                if (key === '__proto__') return secureObject(Object.prototype);
+                return secureObject(target[key]);
+            },
+            set: function(target, key, value, receiver) {
+                target[key] = secureObject(value);
+            },
+
+            getPrototypeOf: function(target) { return secureObject(Object.prototye); },
+            setPrototypeOf: function(target) { throw new Error('Restricted'); },
+            seen: {}
+        });
+    }
+
+    return obj;
+}
 
 /**
  * Executes the given code in a jailed environment, runs the
@@ -186,7 +208,7 @@ var executeJailed = function(code, url, sCb, fCb) {
     ];
 
     for (var i = 0; i < expose.length; i++) {
-        sandbox[expose[i]] = global[expose[i]];
+        sandbox[expose[i]] = secureObject(global[expose[i]]);
     }
 
     code = '"use strict";\n'+code;

diff --git a/package.json b/package.json
@@ -30,7 +30,9 @@
       "child_process": false
     },
   "main": "lib/jailed.js",
-  "dependencies": {},
+  "dependencies": {
+      "harmony-reflect": ">=1.4.6"
+  },
   "devDependencies": {},
   "optionalDependencies": {},
   "engines": {