-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VM module does not prevent direct usage of built-in modules and globals #15334
Comments
The I'm not convinced that it is a bug. |
With #15238 merged, we could extend |
So is this the node console object or some other (V8) class? Currently it is not clear what happens in these console invocations. Is there any documentation referring to this newly exposed console object in the vm container? |
It's an object with stub methods; they don't do anything but return immediately unless the debugger is active. That said, and as mentioned in the documentation, the vm module is explicitly not for running untrusted code. |
If you have a Dev Tools debugger attached, methods on console will be passed to the debugger. Otherwise they are no-ops. There aren't really any security implications other than the inherent security issues associated with the VM module. The |
Looks like the discussion ran its course. I'll close out the issue. |
Hi,
With node version 8.3.0 and above the vm container does not prevent usage of built-in modules as "console". It is easy to reproduce with the following code:
When executed with node version < 8.3 we get the following error (which is correct):
When using node version >= 8.3.0 the code executes without error.
It seems to be related to the introduction of the V8 version 6.
Best regards,
Hristo Dobtchev
The text was updated successfully, but these errors were encountered: