Share your repls and programming experiences

← Back to all posts
SUPER-COMPACT eval( ) sandbox (Javascript)
MatReiner (123)

At less than 1 kilobyte (997 bytes), this library can be put anywhere (except IE and some unknown browsers) and will simulate a safe sandbox to evaluate untrusted code.


var scope = sandbox({
  //variables accessible to the sandbox
  show: (text) => alert(text),
  location: location.href
  //and so on...
}, true /\*use 'return' for return values\*/)


Protections from:
XHTTP requests: fetch('','sendMoney: $9999')
CVE-2016-3198-A: (function(){}).‎constructor('return sensitive_data')()
The Bracket Escape™: };return sensitive_data;{
Gen constructor: (function*(){}).‎constructor('return sensitive_data')().next().value
This: var window = this;window.executeInsanity()

Source code visible in /sandbox.js

Please comment if you find any exploits!

ps. I'm not exaggerating how compact it is, first, i compressed it with a js-minifier, then, even more by hand it's so compact that the js-minifier actually EXPANDS it.

pps. if you intent to use this on a server, use try {} catch (e){} if you don't want your server freezing/crashing

sugarfi (625)

Found an exploit: you can use this to get the full window object. For example, I can use return this.alert('hi'), even when alert is not defined in the current scope.

MatReiner (123)

@sugarfi ok thx I know how to fix it but I'll do it later

pyelias (2393)

return function(){}.constructor("return this.secret")()
return {}.constructor.toString.constructor("return this.secret")()
both put window in this

MatReiner (123)

@pyelias i don't know how to fix it but i will try

sugarfi (625)

Do you happen to have the unminifed source?

MatReiner (123)

@sugarfi nope, but I'll unminify it for you

MatReiner (123)

@sugarfi I've unminified it so you can have a look now

In the process of unminifying

MatReiner (123)

Please dont write out the CVE-2016-3198-A or Gen constructor because this will destroy for anyone who has an antivirus installed

MatReiner (123)

@mwilki7 NO. It'll probably block your computer aswell

MatReiner (123)

@mwilki7 i blocked mine and it prevented me from using at all