patriksimek · Sep 20, 2023 · Sep 20, 2023 · Sep 21, 2023 · Sep 21, 2023 · Oct 6, 2023
Showing with 186 additions and 75 deletions.

+18 −0 CHANGELOG.md

+67 −2 lib/vm.js

+2 −2 package-lock.json

+4 −4 package.json

+95 −67 test/vm.js
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,21 @@
+v3.9.24 (2023-10-06)
+--------------------
+[fix] Fix Introduced Object Escapes escapes (see https://github.com/patriksimek/vm2/issues/533#issuecomment-1750328055)
+
+v3.9.22 (2023-10-06)
+--------------------
+[fix] Additional Symbol / Proxy escapes (see https://github.com/patriksimek/vm2/issues/533#issuecomment-1748934984)
+
+v3.9.21 (2023-09-21)
+--------------------
+[fix] Expand Sandbox Symbols
+
+v3.9.20 (2023-09-20)
+--------------------
+[fix] Symbol Security fix #1 (see https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4).
+
+[fix] Symbol Security fix #2 (see https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5).
+
 (discontinued) (2023-07-09)
 ---------------------------
 Discontinued do to security issues without proper fixes.

diff --git a/lib/vm.js b/lib/vm.js
@@ -142,6 +142,71 @@ function doWithTimeout(fn, timeout) {
 	}
 }
 
+/**
+ * Protects from Symbol based exploits by a sandbox proxy
+ *
+ * Follows the discussion of multiple forks attempting to resolve this exploit
+ * https://github.com/patriksimek/vm2/issues/533
+ *
+ * This solution is not for general consumption, It disables features you may require.
+ *
+ * @private
+ * @param {Object} sandbox - Objects that will be copied into the global object of the sandbox.
+ * @return {Object} Protected Symbol added to the sandbox.
+ */
+function hardenSandbox(sandbox) {
+	const customSymbol = 'nodejs.util.inspect.custom';
+	inspect.defaultOptions.customInspect = false;
+
+	sandbox.Symbol = () => {
+		return () => Symbol;
+	};
+	sandbox.Symbol.asyncIterator = Symbol.asyncIterator;
+	sandbox.Symbol.hasInstance = Symbol.hasInstance;
+	sandbox.Symbol.isConcatSpreadable = Symbol.isConcatSpreadable;
+	sandbox.Symbol.iterator = Symbol.iterator;
+	sandbox.Symbol.keyFor = Symbol.keyFor;
+	sandbox.Symbol.match = Symbol.match;
+	sandbox.Symbol.matchAll = Symbol.matchAll;
+	sandbox.Symbol.prototype = Symbol.prototype;
+	sandbox.Symbol.replace = Symbol.replace;
+	sandbox.Symbol.search = Symbol.search;
+	sandbox.Symbol.split = Symbol.split;
+	sandbox.Symbol.toString = Symbol.toString;
+	sandbox.Symbol.toPrimitive = Symbol.toPrimitive;
+	sandbox.Symbol.toStringTag = Symbol.toStringTag;
+	sandbox.Symbol.unscopables = Symbol.unscopables;
+
+	// Block Species access attacks
+	sandbox.Symbol.species = null;
+
+	// Block fetching custom attacks
+	sandbox.Symbol.for = (type) => {
+		if (type.toString() !== customSymbol) {
+			return Symbol.for(type);
+		}
+		return {};
+	};
+
+	// Prevent fetching Symbols
+	const cachedGetOwnPropertySymbols = Object.getOwnPropertySymbols;
+	Object.getOwnPropertySymbols = (obj) => {
+		const result = cachedGetOwnPropertySymbols(obj);
+		for (let i = result.length; i--; ) {
+			if (result[i].toString() === `Symbol(${customSymbol})`) {
+				return {};
+			}
+		}
+		return result;
+	};
+
+	sandbox.Proxy = function disableProxy() {
+		throw Error('Proxy Not Supported');
+	};
+
+	return sandbox;
+}
+
 const bridgeScript = compileScript(`${__dirname}/bridge.js`,
 	`(function(global) {"use strict"; const exports = {};${fs.readFileSync(`${__dirname}/bridge.js`, 'utf8')}\nreturn exports;})`);
 const setupSandboxScript = compileScript(`${__dirname}/setup-sandbox.js`,
@@ -227,7 +292,7 @@ class VM extends EventEmitter {
 		// Read all options
 		const {
 			timeout,
-			sandbox,
+			sandbox = {},
 			compiler = 'javascript',
 			allowAsync: optAllowAsync = true
 		} = options;
@@ -372,7 +437,7 @@ class VM extends EventEmitter {
 
 		// prepare global sandbox
 		if (sandbox) {
-			this.setGlobals(sandbox);
+			this.setGlobals(hardenSandbox(sandbox));
 		}
 	}
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -3,7 +3,7 @@
     "name": "Patrik Simek",
     "url": "https://patriksimek.cz"
   },
-  "name": "vm2",
+  "name": "@activeledger/vm2",
   "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!",
   "keywords": [
     "sandbox",
@@ -13,10 +13,10 @@
     "alcatraz",
     "contextify"
   ],
-  "version": "3.9.19",
+  "version": "3.9.24",
   "main": "index.js",
   "sideEffects": false,
-  "repository": "github:patriksimek/vm2",
+  "repository": "github:activeledger/vm2",
   "license": "MIT",
   "dependencies": {
     "acorn": "^8.7.0",
@@ -38,4 +38,4 @@
     "vm2": "./bin/vm2"
   },
   "types": "index.d.ts"
-}
+}