sandbox - npm Package Compare versions

Comparing version 0.8.2 to 0.8.3

example/example.js

@@ -29,1 +29,21 @@ var Sandbox = require("../lib/sandbox")
 
+// Example 6 - Caller Attack Failure
+s.run( "(function foo() {return foo.caller.caller;})()", function( output ) {
+  console.log( "Example 6: " + output.result + "\n" )
+})
+
+// Example 7 - Argument Attack Failure
+s.run( "(function foo() {return [].slice.call(foo.caller.arguments);})()", function( output ) {
+  console.log( "Example 7: " + output.result + "\n" )
+})
+
+// Example 8 - Type Coersion Attack Failure
+s.run( "(function foo() {return {toJSON:function x(){return x.caller.caller.name}}})()", function( output ) {
+  console.log( "Example 8: " + output.result + "\n" )
+})
+
+// Example 9 - Global Attack Failure
+s.run( "x=1;(function() {return this})().console.log.constructor('return this')()", function( output ) {
+  console.log( "Example 9: " + output.result + "\n" )
+})
+

lib/shovel.js

@@ -7,49 +7,79 @@ // shovel.js - Do the heavy lifting in this sandbox
   , code
+  , result
   , console
-  , result
   , sandbox
   , Script
-  , stdin
+  , stdin;
 
 if ( ! ( Script = process.binding( 'evals').NodeScript ) )
-  if ( ! Script = process.binding('evals').Script )
-    Script = require( 'vm' )
+  if ( ! ( Script = process.binding('evals').Script ) )
+    Script = require( 'vm' );
 
 /* ------------------------------ Sandbox ------------------------------ */
-// Sandbox methods
-console = []
-sandbox =
-  { console:
-    { log: function() { var i, l
-        for ( i = 0, l = arguments.length; i < l; i++ )
-          console.push( util.inspect( arguments[i] ) )
-      }
-    }
-  }
-sandbox.print = sandbox.console.log
+var console = [];
 
 // Get code
-code = ''
-stdin = process.openStdin()
+code = '';
+stdin = process.openStdin();
 stdin.on( 'data', function( data ) {
-  code += data
+  code += data;
 })
-stdin.on( 'end', run )
+stdin.on( 'end', run );
 
+function getSafeRunner() {
+  var global = this;
+  // Keep it outside of strict mode
+  function UserScript(str) {
+    // We want a global scoped function that has implicit returns.
+    return Function('return eval('+JSON.stringify(str+'')+')');
+  }
+  // place with a closure that is not exposed thanks to strict mode
+  return function run(comm, src) {
+    // stop argument / caller attacks
+    "use strict";
+    var send = function send(event) {
+      "use strict";
+      //
+      // All comm must be serialized properly to avoid attacks, JSON or XJSON
+      //
+      comm.send(event, JSON.stringify([].slice.call(arguments,1)));
+    }
+    global.print = send.bind(global, 'stdout');
+    global.console = {};
+    global.console.log = send.bind(global, 'stdout');
+    var result = UserScript(src)();
+    send('end', result);
+  }
+}
+
 // Run code
 function run() {
-  result = (function() {
-    try {
-      return Script.runInNewContext( this.toString(), sandbox )
-    }
-    catch (e) {
-      return e.name + ': ' + e.message
-    }
-  }).call( code )
+  var context = Script.createContext();
+  var safeRunner = Script.runInContext('('+getSafeRunner.toString()+')()', context);
+  var result;
+  try {
+    safeRunner({
+      send: function (event, value) {
+        "use strict";
+        switch (event) {
+          case 'stdout':
+            console.push.apply(console, JSON.parse(value).slice(1));
+            break;
+          case 'end':
+            result = JSON.parse(value)[0];
+            break;
+        }
+      }
+    }, code);
+  }
+  catch (e) {
+    result = e.name + ': ' + e.message;
+  }
   
   process.stdout.on( 'drain', function() {
     process.exit(0)
-  })
-  process.stdout.write( JSON.stringify( { result: util.inspect( result ), console: console } ) )
+  });
+  
+  process.stdout.write( JSON.stringify( { result: util.inspect( result ), console: console } ) );
 }
 

package.json

@@ -6,5 +6,6 @@ { "name" : "sandbox"
 , "contributors":
-  [ "Dominic Tarr (http://cyber-hobo.blogspot.com)"
+  [ "Bradley Meck <bradley.meck@gmail.com>"
+  , "Dominic Tarr (http://cyber-hobo.blogspot.com)"
   ]
-, "version" : "0.8.2"
+, "version" : "0.8.3"
 , "main" : "./lib/sandbox"
@@ -11,0 +12,0 @@ , "directories" : { "lib" : "./lib" }

README.md

@@ -85,3 +85,4 @@ # Node Sandbox
 - Written by [Gianni Chiappetta](http://github.com/gf3) – [gf3.ca](http://gf3.ca)
+- Contributions by [Bradley Meck](https://github.com/bmeck)
 - Contributions by [Dominic Tarr](http://github.com/dominictarr) – [cyber-hobo.blogspot.com](http://cyber-hobo.blogspot.com/)
 

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

11457

increased by19.23%

Lines of code

221

increased by24.86%

Number of lines in readme file

88

increased by1.15%

No dependency changes