NocoBase Workflow JavaScript Sandbox Escape Vulnerability

A sandbox escape vulnerability has been identified in the NocoBase plugin 'workflow-javascript' versions prior to 2.0.23. The issue arises in the 'createSafeConsole' function within 'Vm.js', where the prototype chain of bound 'console' methods is not properly sanitized. This oversight allows an attacker to access the host 'Function' constructor and, subsequently, the 'process' object, breaking the intended isolation of the virtual machine environment. The vulnerability can be exploited remotely, without authentication, by users with access to the Workflow JavaScript node testing feature.

Impact

Exploitation of this vulnerability allows for a real and reproducible escape from the virtual machine sandbox, granting access to host Node.js runtime objects. This could lead to reading sensitive environment information, exploring module-loading paths, accessing the filesystem, environment variables, network capabilities, or other process-level resources. Such access could escalate to server-side code execution, particularly since the vulnerability is typically reachable by admin-like roles.

Reproduction

The vulnerability can be reproduced by logging into the NocoBase admin UI, navigating to the workflow settings, and creating a JavaScript node. After pasting a proof-of-concept script that accesses the host 'process' object into the node and executing it, the workflow returns the host process information, confirming the successful exploitation of the sandbox escape.

Remediation

To address this vulnerability, do not pass host function objects directly into 'runInNewContext()'. Instead, replace 'console' with a message-forwarding wrapper that does not expose host functions. Additionally, block recovery paths to the 'Function.prototype.constructor' or adopt a stronger isolation design. After applying these changes, extend security tests to cover prototype-chain access to ensure the vulnerability is effectively mitigated.