Protect outer objects (#70)

Author: kage-sakura

src/setup.js

@@ -0,0 +1,35 @@
+Object.defineProperty(
+  RegExp.prototype,
+  Symbol.for('nodejs.util.inspect.custom'),
+  {
+    value: RegExp.prototype.toString,
+  }
+)
+
+{
+  const { isNaN } = Number,
+    { prototype } = Date,
+    { call } = Function.prototype,
+    getTime = call.bind(prototype.getTime),
+    toString = call.bind(prototype.toString),
+    toISOString = call.bind(prototype.toISOString)
+  Object.defineProperty(prototype, Symbol.for('nodejs.util.inspect.custom'), {
+    value() {
+      return isNaN(getTime(this)) ? toString(this) : toISOString(this)
+    },
+  })
+}
+
+{
+  const call = Function.prototype.call.bind(Function.prototype.call),
+    proxify = (value, construct, getters) =>
+      new Proxy(value, {
+        __proto__: null,
+        get(_, key, receiver) {
+          const getter = getters(key)
+          return getter ? call(getter, receiver) : value[key]
+        },
+        construct,
+      })
+  proxify
+}

src/worker.js

@@ -1,57 +1,71 @@
 const { worker } = require('workerpool')
 const { VM } = require('vm2')
-const { inspect } = require('util')
+const {
+  inspect,
+  types: { isUint8Array },
+} = require('node:util')
 const { Console } = console
-const { Writable } = require('stream')
+const { Writable } = require('node:stream')
+const { isEncoding, isBuffer } = Buffer
+const bufferToString = Function.prototype.call.bind(Buffer.prototype.toString)
+const vmSetupScript = require('node:fs').readFileSync(
+  require('node:path').join(__dirname, './setup.js'),
+  'utf8'
+)
 
 const errorToString = err => {
-  if (typeof err === 'object' && err instanceof Error) {
+  if (typeof err === 'object' && err instanceof Error)
     return Error.prototype.toString.call(err)
-  }
   return 'Thrown: ' + inspect(err, { depth: null, maxArrayLength: null })
 }
 
 const run = async code => {
   const consoleOutput = []
   const outStream = Object.defineProperty(new Writable(), 'write', {
-    value: chunk => consoleOutput.push(chunk),
-  })
-  const vm = new VM({
-    sandbox: {
-      Set,
-      Map,
-      Date,
-      WeakSet,
-      WeakMap,
-      Buffer,
-      ArrayBuffer,
-      SharedArrayBuffer,
-      Int8Array,
-      Uint8Array,
-      Uint8ClampedArray,
-      Int16Array,
-      Uint16Array,
-      Int32Array,
-      Uint32Array,
-      Float32Array,
-      Float64Array,
-      BigInt64Array,
-      BigUint64Array,
-      Atomics,
-      DataView,
-      console: new Console({
-        stdout: outStream,
-        stderr: outStream,
-        inspectOptions: { depth: null, maxArrayLength: null },
-      }),
+    value(chunk, encoding, callback) {
+      switch (typeof encoding) {
+        case 'function':
+          callback = encoding
+        case 'undefined':
+          encoding = 'utf8'
+          break
+        default:
+          if (!isEncoding(encoding))
+            throw new TypeError(`Unknown encoding '${encoding}'`)
+      }
+      switch (true) {
+        case isUint8Array(chunk):
+          chunk = Buffer.from(chunk.buffer, chunk.byteOffset, chunk.byteLength)
+        case isBuffer(chunk):
+          chunk = bufferToString(chunk, encoding)
+        case typeof chunk === 'string':
+          break
+        default:
+          throw new TypeError(
+            'Invalid chunk type. The chunk must be a string, a Buffer or a Uint8Array'
+          )
+      }
+
+      consoleOutput.push(chunk)
+
+      if (typeof callback === 'function') callback()
     },
   })
+  const vm = new VM()
 
-  const { call } = Function.prototype
+  vm.freeze(Atomics, 'Atomics')
+  vm.freeze(
+    new Console({
+      stdout: outStream,
+      stderr: outStream,
+      inspectOptions: { depth: null, maxArrayLength: null },
+    }),
+    'console'
+  )
 
   for (const type of ['Number', 'String', 'Boolean', 'Symbol', 'BigInt']) {
-    const { prototype } = vm.run(type)
-    const valueOf = call.bind(prototype.valueOf)
+    const prototype = vm.run(type + '.prototype')
+    const valueOf = Function.prototype.call.bind(prototype.valueOf)
     Object.defineProperty(prototype, inspect.custom, {
       value() {
         try {
@@ -62,28 +76,69 @@ const run = async code => {
     })
   }
 
-  const vmRegExpPrototype = vm.run('RegExp').prototype,
-    vmRegExpProtoToString = call.bind(vmRegExpPrototype.toString)
-  Object.defineProperty(vmRegExpPrototype, inspect.custom, {
-    value() {
-      try {
-        return vmRegExpProtoToString(this)
-      } catch {}
-      return this
-    },
-  })
+  const proxify = vm.run(vmSetupScript)
+
+  for (const constructor of [
+    Set,
+    Map,
+    WeakSet,
+    WeakMap,
+    Buffer,
+    ArrayBuffer,
+    SharedArrayBuffer,
+    Int8Array,
+    Uint8Array,
+    Uint8ClampedArray,
+    Int16Array,
+    Uint16Array,
+    Int32Array,
+    Uint32Array,
+    Float32Array,
+    Float64Array,
+    BigInt64Array,
+    BigUint64Array,
+    DataView,
+  ]) {
+    // Mark the class constructor readonly
+    vm.readonly(constructor)
+
+    // Mark the prototype and its properties readonly
+    for (let o = constructor.prototype; o; o = Object.getPrototypeOf(o)) {
+      vm.readonly(o)
+      Reflect.ownKeys(o).forEach(k => {
+        try {
+          vm.readonly(o[k])
+        } catch {
+          // Ignore errors
+        }
+      })
+    }
+
+    // Add prototype mapping
+    vm._addProtoMapping(constructor.prototype, constructor.prototype)
+
+    // Set class constructor to global
+    vm.sandbox[constructor.name] = constructor.prototype.constructor = proxify(
+      constructor,
+      (_, args, newTarget) => Reflect.construct(constructor, args, newTarget),
+      key => {
+        for (let o = constructor; o; o = Reflect.getPrototypeOf(o)) {
+          const getter = Reflect.getOwnPropertyDescriptor(o, key)?.get
+          if (getter) return getter
+        }
+      }
+    )
+  }
 
-  let result
   try {
-    result = await vm.run(code)
+    const result = await vm.run(code)
+    return [
+      consoleOutput.join('').trim(),
+      inspect(result, { depth: null, maxArrayLength: null }),
+    ]
   } catch (ex) {
     return [consoleOutput.join('').trim(), errorToString(ex)]
   }
-
-  return [
-    consoleOutput.join('').trim(),
-    inspect(result, { depth: null, maxArrayLength: null }),
-  ]
 }
 
 worker({ run })