Promise's domain property allows escaping VM

Question

Promise's domain property allows escaping VM

TimothyGu opened this issue 7 years ago · 2 comments

Version: v8.x / master
Platform: Linux debian-x240s 4.9.0-3-amd64 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
Subsystem: vm

> vm.runInNewContext('Promise.resolve().domain') instanceof Object
true
> vm.runInNewContext('Promise.resolve().domain instanceof Object')
false

A question of a larger scope is if the promise hooks should be enabled at all for VM contexts.

Answer 1 · 2017-09-29T09:54:16.000Z

Doesn't really strike me as an issue. vm is not a security mechanism.

edit: no opinion on whether promise hooks should be enabled or not.

Answer 2 · 2017-09-29T14:25:03.000Z

vm is not a security mechanism.

... and I never said it was, but it has been the case until now that objects from another context can only be present in a vm context if the user explicitly adds things into the sandbox from another sandbox.

I just realized the domain property is only added if domains are enabled, which is the case in the REPL. That softens the blow for me, but this still sounds like a bug.