<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> I wasn&#39;t expecting to see a colleague to C++&#39;s std::launder this soon</p>

<p>(exhaustedly) gods, i hate this. this isn&#39;t _technically_ a vulnerability but it has upsetting enough security properties that i don&#39;t think i just want to leave it around as-is</p><p>but i also don&#39;t know how to address this because node is ... for whatever fucking reason it doesn&#39;t provide an API equivalent to running a Web Worker. there aren&#39;t even third party packages that do it. gah</p>

<p><span class="h-card" translate="no"><a href="https://screaminginsi.de/@lnl" class="u-url mention">@<span>lnl</span></a></span> tl;dr this is perfectly fine in the browser security model (for which this whole thing was originally written) and has really annoying properties in the desktop vscode</p><p>this is somehow radicalizing me even further against electron. why can&#39;t node be good</p>

<p>nevermind, this does it:</p><p>new Function(&#39;console.log(process.env)&#39;)()</p><p>i&#39;m going to go live in a shed. don&#39;t message me</p>

<p><span class="h-card" translate="no"><a href="https://dragon.style/@saphire" class="u-url mention">@<span>saphire</span></a></span> correction: i found a sandbox escape</p>

<p><span class="h-card" translate="no"><a href="https://screaminginsi.de/@lnl" class="u-url mention">@<span>lnl</span></a></span> <a href="https://github.com/YoWASP/vscode" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">github.com/YoWASP/vscode</span><span class="invisible"></span></a></p>

<p>if Node supported Web Workers (as it really should) none of this would be needed</p><p>as it is, i&#39;m running the dynamically loaded code in a way that *should* not let it escape the sandbox, but i would only put like a $100 bug bounty on this implementation</p>

<p><span class="h-card" translate="no"><a href="https://screaminginsi.de/@lnl" class="u-url mention">@<span>lnl</span></a></span> wdym?</p>

<p>enjoy ;w; <a href="https://github.com/YoWASP/vscode/commit/0e68692e2b0f8a4d547c8bb4802abd36e1eb4a99" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">github.com/YoWASP/vscode/commi</span><span class="invisible">t/0e68692e2b0f8a4d547c8bb4802abd36e1eb4a99</span></a></p>