prevent .constructor('return process') attack

n8n-io · Jul 31, 2024 · 53c2d0b · 53c2d0b
1 parent e43c635
commit 53c2d0b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/bridge.js b/lib/bridge.js
@@ -420,7 +420,10 @@ function createBridge(otherInit, registerProxy) {
 			switch (key) {
 				case 'constructor': {
 					const desc = otherSafeGetOwnPropertyDescriptor(object, key);
-					if (desc) return thisDefaultGet(this, object, key, desc);
+					if (desc) {
+						if (desc.value && desc.value.name === 'Function') return {};
+						return thisDefaultGet(this, object, key, desc);
+					}
 					const proto = thisReflectGetPrototypeOf(target);
 					return proto === null ? undefined : proto.constructor;
 				}

diff --git a/test/vm.js b/test/vm.js
@@ -1135,6 +1135,16 @@ describe('VM', () => {
 		`), /Sandbox escape attempt blocked/);
 	});
 
+	it('constructor arbitrary code attack', async () => {
+		const vm2 = new VM();
+		assert.throws(()=>vm2.run(`
+		const g = ({}).__lookupGetter__;
+		const a = Buffer.apply;
+		const p = a.apply(g, [Buffer, ['__proto__']]);
+		p.call(a).constructor('return process')();
+		`), /constructor is not a function/);
+	});
+
 	after(() => {
 		vm = null;
 	});