Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM module does not prevent direct usage of built-in modules and globals #15334

Closed
HristoDobchev opened this issue Sep 11, 2017 · 6 comments
Closed

VM module does not prevent direct usage of built-in modules and globals #15334

HristoDobchev opened this issue Sep 11, 2017 · 6 comments
Labels
vm Issues and PRs related to the vm subsystem.

Comments

@HristoDobchev
Copy link

  • Version: >= 8.3
  • Platform: MacOS
  • Subsystem: vm

Hi,

With node version 8.3.0 and above the vm container does not prevent usage of built-in modules as "console". It is easy to reproduce with the following code:

const vm = require('vm');

const sandbox = vm.createContext({});
vm.runInContext('console.log("Hi")', sandbox);

When executed with node version < 8.3 we get the following error (which is correct):

evalmachine.<anonymous>:1
console.log("Hi")
^

ReferenceError: console is not defined
    at evalmachine.<anonymous>:1:1
    at ContextifyScript.Script.runInContext (vm.js:53:29)
    at Object.runInContext (vm.js:108:6)
    at Object.<anonymous> (/Users/development/workspace/vmbug.js:4:4)
    at Module._compile (module.js:569:30)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:503:32)
    at tryModuleLoad (module.js:466:12)
    at Function.Module._load (module.js:458:3)
    at Function.Module.runMain (module.js:605:10)

When using node version >= 8.3.0 the code executes without error.

It seems to be related to the introduction of the V8 version 6.

Best regards,
Hristo Dobtchev
@TimothyGu
Copy link
Member

The console you are seeing outputs to the Inspector console only, and is not the outside global. And you are right, it is related to the V8 update.

I'm not convinced that it is a bug.

@bnoordhuis
Copy link
Member

With #15238 merged, we could extend NewContext() to delete the console object. Not that I think it's a good idea but it's an option.

@HristoDobchev
Copy link
Author

So is this the node console object or some other (V8) class? Currently it is not clear what happens in these console invocations. Is there any documentation referring to this newly exposed console object in the vm container?
I am trying to analyze the security implications for this change for applications that require code isolation.

@bnoordhuis
Copy link
Member

It's an object with stub methods; they don't do anything but return immediately unless the debugger is active.

That said, and as mentioned in the documentation, the vm module is explicitly not for running untrusted code.

@mscdex mscdex added the vm Issues and PRs related to the vm subsystem. label Sep 11, 2017
@TimothyGu
Copy link
Member

If you have a Dev Tools debugger attached, methods on console will be passed to the debugger. Otherwise they are no-ops.

There aren't really any security implications other than the inherent security issues associated with the VM module. The console in VM contexts is completely isolated from the outside context.

@bnoordhuis
Copy link
Member

Looks like the discussion ran its course. I'll close out the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vm Issues and PRs related to the vm subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mscdex @bnoordhuis @TimothyGu @HristoDobchev