Whole-known-network
<p><span class="h-card" translate="no"><a href="https://fosstodon.org/@phated" class="u-url mention">@<span>phated</span></a></span> that's what the sandbox escape is from. even if you restrict globalThis in the context</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> Worker Threads with a data url wouldn't work? <a href="https://nodejs.org/docs/latest-v20.x/api/worker_threads.html" target="_blank" rel="nofollow noopener noreferrer" translate="no"><span class="invisible">https://</span><span class="ellipsis">nodejs.org/docs/latest-v20.x/a</span><span class="invisible">pi/worker_threads.html</span></a></p>
<p>_normally_, i would have fixed this by compiling a JavaScript interpreter to WebAssembly and sandboxing everything in it</p><p>unfortunately, the JavaScript i'm running is a part of a thing that sandboxes other things in WebAssembly, so i can't exactly do that</p><p>(i mean i could but it would be horrible and i'm not going to)</p>
<p>why did i decide to look at nodejs before going to bed</p><p>i will lose sleep over it now ;_;</p>
<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> I wasn't expecting to see a colleague to C++'s std::launder this soon</p>
<p>(exhaustedly) gods, i hate this. this isn't _technically_ a vulnerability but it has upsetting enough security properties that i don't think i just want to leave it around as-is</p><p>but i also don't know how to address this because node is ... for whatever fucking reason it doesn't provide an API equivalent to running a Web Worker. there aren't even third party packages that do it. gah</p>
<p><span class="h-card" translate="no"><a href="https://screaminginsi.de/@lnl" class="u-url mention">@<span>lnl</span></a></span> tl;dr this is perfectly fine in the browser security model (for which this whole thing was originally written) and has really annoying properties in the desktop vscode</p><p>this is somehow radicalizing me even further against electron. why can't node be good</p>
<p>nevermind, this does it:</p><p>new Function('console.log(process.env)')()</p><p>i'm going to go live in a shed. don't message me</p>
<p><span class="h-card" translate="no"><a href="https://dragon.style/@saphire" class="u-url mention">@<span>saphire</span></a></span> correction: i found a sandbox escape</p>