Skip to content

Add warning to README about sandbox escapes #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add warning to README about sandbox escapes #40

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,49 @@
# safe-eval [![npm version](https://badge.fury.io/js/safe-eval.svg)](https://badge.fury.io/js/safe-eval) [![Build Status](https://travis-ci.org/hacksparrow/safe-eval.svg?branch=master)](https://travis-ci.org/hacksparrow/safe-eval)

---

# ⚠️ CRITICAL SECURITY WARNING ⚠️

**`safe-eval` IS HARMFUL - so you are warned!**

This package contains **multiple known payloads to bypass the sandbox logic** and should **NOT** be used for executing untrusted code. There are numerous documented sandbox escape vulnerabilities that have been reported and remain unpatched.

## Known Security Issues

- **Multiple sandbox escape bugs** have been reported in the GitHub issues
- **Prototype pollution vulnerabilities** exist in the safeEval function
- **Process crash vulnerabilities** can be triggered by malicious code
- **Context injection attacks** can bypass intended restrictions

## ⚠️ IMPORTANT WARNINGS

- **DO NOT** use this package with user-submitted data
- **DO NOT** use this package with code from untrusted sources
- **DO NOT** rely on this package for security-critical applications
- **Consider alternatives** like `isolated-vm`` for Node.js sandboxing

## Better Alternatives

For Node.js applications, consider using:
- [`isolated-vm`](https://www.npmjs.com/package/isolated-vm) - Google's V8 Isolate API

## Multiple Bypasses Documented

Multiple sandbox escape vulnerabilities have been reported in the GitHub issues:
- [Issue #38](https://github.com/hacksparrow/safe-eval/issues/38) - Sandbox Escape Bug
- [Issue #35](https://github.com/hacksparrow/safe-eval/issues/35) - Sandbox Escape Bug
- [Issue #34](https://github.com/hacksparrow/safe-eval/issues/34) - Sandbox Escape Bug
- [Issue #33](https://github.com/hacksparrow/safe-eval/issues/33) - Sandbox Escape Bug
- [Issue #32](https://github.com/hacksparrow/safe-eval/issues/32) - Sandbox Escape Bug
- [Issue #31](https://github.com/hacksparrow/safe-eval/issues/31) - Sandbox Escape Bug
- [Issue #28](https://github.com/hacksparrow/safe-eval/issues/28) - Sandbox Escape Bug
- [Issue #27](https://github.com/hacksparrow/safe-eval/issues/27) - Sandbox Escape
- [Issue #26](https://github.com/hacksparrow/safe-eval/issues/26) - Prototype pollution in function safeEval

**Before using this module, ask yourself if there are no better options than using safe-eval. It is potentially better than the bad old `eval()` but has harmful potential.**

---

**NOTE**

`safe-eval` `0.3.0` and below are affected by a sandbox breakout vulnerability - [NSP 337](https://nodesecurity.io/advisories/337), [CVE-2017-16088](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16088).
Expand Down