fix(security): harden sandbox against code execution bypass (GHSA-9p4w-fq8m-2hp7)

Author: nyariv

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nyariv/sandboxjs",
-  "version": "0.8.26",
+  "version": "0.8.27",
   "description": "Javascript sandboxing library.",
   "main": "dist/node/Sandbox.js",
   "module": "./build/Sandbox.js",

src/executor.ts

@@ -377,7 +377,9 @@ addOps(LispType.Prop, (exec, done, ticks, a, b: string, obj, context, scope) =>
           throw new SandboxError(`Static method or property access not permitted: ${a.name}.${b}`);
         }
       }
-    } else if (b !== 'constructor') {
+    }
+    
+    if (b !== 'constructor') {
       let prot = a;
       while ((prot = Object.getPrototypeOf(prot))) {
         if (prot.hasOwnProperty(b)) {

test/tests.json

@@ -230,6 +230,16 @@
     "evalExpect": "error",
     "safeExpect": "/Method or property access not permitted/"
   },
+  {
+    "code": "(() => {}).__defineGetter__('a', () => 1 ) || 'ok'",
+    "evalExpect": "error",
+    "safeExpect": "/Method or property access not permitted/"
+  },
+  {
+    "code": "({}).toString.__defineGetter__('a', () => 1 ) || 'ok'",
+    "evalExpect": "error",
+    "safeExpect": "/Method or property access not permitted/"
+  },
   {
     "code": "!test2",
     "evalExpect": false,