From 170eee1f42e45e451b22a4e2b7503540aa0c4b51 Mon Sep 17 00:00:00 2001 From: gpascualg Date: Sun, 3 Jul 2016 02:07:43 +0200 Subject: [PATCH] Fix constructor exploit on NodeJS --- lib/_pluginNode.js | 24 +++++++++++++++++++++++- package.json | 4 +++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/lib/_pluginNode.js b/lib/_pluginNode.js index f3daa6f..aa2052a 100644 --- a/lib/_pluginNode.js +++ b/lib/_pluginNode.js @@ -6,6 +6,8 @@ * platform-dependent connection object for the plugin site */ +require('harmony-reflect') + application = {}; connection = {}; @@ -164,6 +166,26 @@ var executeNormal = function(code, url, sCb, fCb) { } } +function secureObject(obj) { + if (typeof obj == "object" || typeof obj == "function") { + return new Proxy(obj, { + get: function(target, key, receiver) { + if (key === 'constructor') return secureObject(Object); + if (key === '__proto__') return secureObject(Object.prototype); + return secureObject(target[key]); + }, + set: function(target, key, value, receiver) { + target[key] = secureObject(value); + }, + + getPrototypeOf: function(target) { return secureObject(Object.prototye); }, + setPrototypeOf: function(target) { throw new Error('Restricted'); }, + seen: {} + }); + } + + return obj; +} /** * Executes the given code in a jailed environment, runs the @@ -186,7 +208,7 @@ var executeJailed = function(code, url, sCb, fCb) { ]; for (var i = 0; i < expose.length; i++) { - sandbox[expose[i]] = global[expose[i]]; + sandbox[expose[i]] = secureObject(global[expose[i]]); } code = '"use strict";\n'+code; diff --git a/package.json b/package.json index c94b5e0..d9ee63b 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,9 @@ "child_process": false }, "main": "lib/jailed.js", - "dependencies": {}, + "dependencies": { + "harmony-reflect": ">=1.4.6" + }, "devDependencies": {}, "optionalDependencies": {}, "engines": {