-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js sandbox is broken #33
Comments
wow, thanks. will investigate |
What can one do here with the require() by the way? The point of the sandbox is to protect the main application. |
You can |
Actually I was thinking about running a subprocess in a chrooted environment, and use an OS-level communication channel to avoid shared objects between parent and child processes :-) |
If that subprocess was NodeJS, you would still have access to Btw, the proposed solution might have some perfomance impact, as it is creating Proxies at each call, Maybe keeping them in a dictionary or something alike would be best (I don't have the time now to do it, maybe in a few days). |
On my opinion the performance impact is secondary as long as the sandbox is protected. On security, I am only in doubt about |
Yes, I indeed haven't had time to test it. I barely tested the constructor based exploit. Some more extensive tests should be done. I might be able to do them in 1-2 weeks. |
Maybe you should reuse/fork Google Caja for this? |
Caja is a separate project which works very differently (parses and evaluates code by itself). Users may choose it instead of Jailed of course. |
Any potential solution to this issue been discovered? |
There's this library: They seem to resolve this issue through usage of proxies |
is there any update on this issue? |
start.js file:
plugin.js file:
The text was updated successfully, but these errors were encountered: