Feature: Adding extra sandbox to prevent escaping (hence allows malicious code to require/import system modules) #8

Closed
yl12053 wants to merge 0 commits from dev into dev
yl12053 commented 2025-07-11 17:28:35 +00:00 (Migrated from gitgud.io)

Introduction

This Merge Request addresses multiple known vulnerabilities that allowed sandbox escape and unauthorized module access through the require system. These attack vectors include, but are not limited to:

  • Forging the calling stack to bypass module._load
  • Using method.constructor.constructor to access the global Function() constructor and escape the sandbox
  • Polluting prototype chains to manipulate Object behavior
  • Using dynamic import() to access restricted system modules

Changes Introduced

  • Refactored CommonJS require into a base structure plus a closure-bound validator. Only the closure, as a prototype-less object, is passed into the VM context
  • Moved all require logic into the sandboxed context, preventing execution in the host (global) context
  • Constructed Module functions within the sandbox rather than via vm.runInThisContext in the host
  • Converted the incoming module object to a shallow, prototype-less copy, with final exports written back to the original
  • Changed Kojo’s era resolution from a host-level require to a context-injected object
  • Introduced a new ESM linker function for future compatibility with native Node.js support (dynamic import is currently disabled)
  • Added this.context and this.__loader for referencing sandbox context and the ESM linker, respectively

Notes on Prototype Safety

Prototype chains differ between the sandboxed context, the host context, and environments such as <iframe>, leading to inconsistencies in instanceof behavior. To safely perform type checks, avoid using instanceof and use the following strategies instead:

Data Type Recommended Check Avoid Using
Array Array.isArray(obj) obj instanceof Array
Object Object.prototype.toString.call(obj) === '[object Object]' obj instanceof Object
Function Object.prototype.toString.call(obj) === '[object Function]' obj instanceof Function
Others Prefer tag checks or utility functions (like typeof, isPlainObject, etc.) Prototype-based checks

Or use type-safe strategies that do not rely on prototype chains.

# Introduction This Merge Request addresses multiple known vulnerabilities that allowed sandbox escape and unauthorized module access through the `require` system. These attack vectors include, but are not limited to: - Forging the calling stack to bypass `module._load` - Using `method.constructor.constructor` to access the global `Function()` constructor and escape the sandbox - Polluting prototype chains to manipulate `Object` behavior - Using dynamic `import()` to access restricted system modules # Changes Introduced - Refactored CommonJS require into a base structure plus a closure-bound validator. Only the closure, as a prototype-less object, is passed into the VM context - Moved all require logic into the sandboxed context, preventing execution in the host (global) context - Constructed Module functions within the sandbox rather than via `vm.runInThisContext` in the host - Converted the incoming module object to a shallow, prototype-less copy, with final exports written back to the original - Changed Kojo’s era resolution from a host-level require to a context-injected object - Introduced a new ESM linker function for future compatibility with native Node.js support (dynamic import is currently disabled) - Added `this.context` and `this.__loader` for referencing sandbox context and the ESM linker, respectively # Notes on Prototype Safety Prototype chains differ between the sandboxed context, the host context, and environments such as `<iframe>`, leading to inconsistencies in instanceof behavior. To safely perform type checks, avoid using `instanceof` and use the following strategies instead: | Data Type | Recommended Check | Avoid Using | |------------|----------------------------------------------------------|---------------------------| | Array | `Array.isArray(obj)` | `obj instanceof Array` | | Object | `Object.prototype.toString.call(obj) === '[object Object]'` | `obj instanceof Object` | | Function | `Object.prototype.toString.call(obj) === '[object Function]'` | `obj instanceof Function` | | Others | Prefer tag checks or utility functions (like `typeof`, `isPlainObject`, etc.) | Prototype-based checks | Or use type-safe strategies that do not rely on prototype chains.
SLeader (Migrated from gitgud.io) closed this pull request 2025-07-15 01:08:40 +00:00
SLeader commented 2025-07-15 01:09:25 +00:00 (Migrated from gitgud.io)

no experimental features

no experimental features

Pull request closed

Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
UmaERA/era-electron!8
No description provided.