Skip to content

[CVE-2017-16088] Sandbox Breakout (Critical Security Fix) - context clear #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

[CVE-2017-16088] Sandbox Breakout (Critical Security Fix) - context clear #15

wants to merge 12 commits into from

Conversation

kaue
Copy link
Contributor

@kaue kaue commented Dec 15, 2018

No description provided.

kaue added 12 commits November 15, 2018 18:28
@kaue
make sure context is clear
ec7fbe8
@kaue
should not have access to Node.js objects
fe8a6d3
@kaue
lint
00bbe3c
@kaue
0.4.2
39d8ef6
@kaue
should not have access to Node.js objects using Object.getPrototypeOf…
8f6233a 
… (CWE-265)
@kaue
should not have access to Node.js objects using Object.getPrototypeOf…
fb2c12d 
… with context (CWE-265)
@kaue
should check prototype also
b7ef089
@kaue
lint
d23c1fe
@kaue
lint
399293f
@kaue
stop using template string for clearContext function
40a159f
@kaue
CVE-2017-16088 make sure context is clear
e34bc16 
should not have access to Node.js objects
lint
0.4.2
should not have access to Node.js objects using Object.getPrototypeOf (CWE-265)
should not have access to Node.js objects using Object.getPrototypeOf with context (CWE-265)
should check prototype also
lint
lint
stop using template string for clearContext function
@kaue
squash
9d083c2
@ChrisCinelli
Copy link

Why is this not merged and released? I reported to the npm team.

@hacksparrow
Copy link
Owner

@ChrisCinelli Function = undefined. We can't overwrite a global object.

@ChrisCinelli
Copy link

@kauegimenes :
You could also add this test to verify that #12 is fixed:

  it("should not modify Object's constructor", function () {
    var evaluatedBefore = Object.getOwnPropertyDescriptor(Object, 'constructor')
    console.log(evaluatedBefore)
    assert(evaluatedBefore === undefined)
    safeEval('42')
    var evaluatedAfter = Object.getOwnPropertyDescriptor(Object, 'constructor')
    console.log(evaluatedBefore)
    assert(evaluatedAfter === undefined)
  })

@ChrisCinelli ChrisCinelli mentioned this pull request Dec 29, 2018
Open
@ChrisCinelli
Copy link

Just added comments on #16. This only fixes one tiny vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kaue @ChrisCinelli @hacksparrow