Impact
The realms-shim is intended to provide a "safe evaluator" which executes arbitrary strings code with limited authority. This provides a "sandbox" which only has access to the specific objects and power that the caller chooses to expose. The evaluate() function it implements takes two additional arguments: endowments (which are exposed in the global lexical scope), and an options bag. The transforms option is a list of functions that are applied to the string of code, to apply Babel-like transformations before it gets executed (e.g. to implement syntax extensions).
A bug was found in the transformation pipeline that exposed a primal-Realm object to one of the transform functions. The confined code could use this to escape the sandbox and compromise the Realm which created it. This generally leads to a full compromise of the application.
All uses of the Realms shim that evaluate unaudited third-party code are vulnerable.
Patches
The bug is fixed in the 1.2.1 version of realms-shim. All users should upgrade to this release.
Workarounds
The evaluate() function (and the accompanying transforms option) is available to all confined code, hence the only way to prevent its use would be to carefully audit the confined code for calls to evaluate() that use the transformation feature. Given how flexible JavaScript is, this should not be considered a reliable workaround. Upgrading to the latest realms-shim is the recommended mitigation.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in the realms-shim repository
- Submit security bugs via email at
security (at agoric.com)
- Contact us on twitter:
@agoric
Impact
The realms-shim is intended to provide a "safe evaluator" which executes arbitrary strings code with limited authority. This provides a "sandbox" which only has access to the specific objects and power that the caller chooses to expose. The
evaluate()function it implements takes two additional arguments:endowments(which are exposed in the global lexical scope), and an options bag. Thetransformsoption is a list of functions that are applied to the string of code, to apply Babel-like transformations before it gets executed (e.g. to implement syntax extensions).A bug was found in the transformation pipeline that exposed a primal-Realm object to one of the transform functions. The confined code could use this to escape the sandbox and compromise the Realm which created it. This generally leads to a full compromise of the application.
All uses of the Realms shim that evaluate unaudited third-party code are vulnerable.
Patches
The bug is fixed in the 1.2.1 version of
realms-shim. All users should upgrade to this release.Workarounds
The
evaluate()function (and the accompanyingtransformsoption) is available to all confined code, hence the only way to prevent its use would be to carefully audit the confined code for calls toevaluate()that use the transformation feature. Given how flexible JavaScript is, this should not be considered a reliable workaround. Upgrading to the latest realms-shim is the recommended mitigation.References
For more information
If you have any questions or comments about this advisory:
security(atagoric.com)@agoric