Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explore potential exploits of the REPL wrt node-webkit application #136

Open
qq99 opened this issue Jul 12, 2013 · 1 comment
Open

Explore potential exploits of the REPL wrt node-webkit application #136

qq99 opened this issue Jul 12, 2013 · 1 comment
Labels
security waffle:ready
Milestone
0.3.0

Comments

@qq99
Copy link
Owner

qq99 commented Jul 12, 2013

How possible is it to sandbox the REPL, what's the scope of the potential exploits? This one might be a fun one to play with :)
@jamiees2
Copy link
Contributor

nwjs/nw.js#534
Adding nwdisable and nwfaketop should disable everything for the iframe.

The potential exploits are huge, for one thing nw has access to the filesystem i believe and the network, and process. With some obfuscated codewriting, you could easily make the program download and execute an executable from the internet, which obviously is a massive security concern.

The simple fact that require() is available to the iframe makes it a gaping security hole.

@ghost ghost assigned jamiees2 Jul 12, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security waffle:ready
Projects
None yet
Milestone
0.3.0
Development

No branches or pull requests
2 participants
@qq99 @jamiees2