v3.10.0 introduced a breaking change · patriksimek/vm2#543

(1 留言) (0 反應) (0 負責人)JavaScript (3,798 star) (285 fork)batch import

bugconfirmedhelp wanted

描述

With our use case we use webpack to bundle code into a single script. This happens with any package that uses inherits or the nodejs util.inherits.

With https://github.com/patriksimek/vm2/pull/540 this broke usage of these packages and it will result in this line throwing https://github.com/patriksimek/vm2/blob/main/lib/setup-sandbox.js#L561.

I am unsure if this change is for security reasons as the PR doesn't go into details.

Here is a minimal script to reproduce the error:

const script = `
const util = require('util');
const EventEmitter = require('events');

function MyStream() {
  console.log("This is sha1");
}

util.inherits(MyStream, EventEmitter);
`;

const vmScript = new VMScript(script);
const vm = new NodeVM({
console: 'inherit',
require: {
  builtin: ['util', 'events'],
},
});
vm.run(vmScript);

貢獻者指南

技術棧: javascriptnodejs
領域: backendsecurity
議題類型: bug
難度: 3
預計時間: 1-2 days
活動狀態: needs maintainer response
清晰度: clear
前置要求: Node.js basicsvm2 package knowledge
新手友善度: 50
研究方向: Investigate PR #540 that introduced the breaking change. Check the code in lib/setup sandbox.js line 561 to understand the error. Determine if the change is intended for security reasons and if so, find a way to allow inherits usage while maintaining security. Consider alternatives like patching the inherits function.