Home » Nodejs » Block eval && new Function

Block eval && new Function

Posted by: admin November 29, 2017 Leave a comment


I’m just working on writing some random puzzles on codewars.com and am curious if anyone can think of a way to eval code after the following code has been run:

eval = function(){};
delete Function.prototype.constructor;
Function = undefined;

// the following are to block require('vm') -- if anyone wants to run this
// in production it may be better to block that one module (others?)
require = undefined;
module.__proto__.require = undefined; // added this due to alexpod's answer, modified due to Fabrício Matté's :)
module.constructor = undefined; // added this due to alexpod's answer

This is in node.js, so setTimeout( "string" ) doesn’t work.


Well, also you have module variable in node. So you can require vm package and run code using its require method:

var vm = module.require('vm');
vm.runInThisContext(' console.log("hello") ');

Well, you updated the question, but we can hack it again:

var vm = module.constructor.prototype.require('vm');
vm.runInThisContext(' console.log("hello") ');

Another variant:

var vm = module.constructor._load('vm');
vm.runInThisContext(' console.log("hello") ');

Again conditions are changed so the next variant:

module.constructor.prototype._compile(' console.log("again hacked") ');
// or
module.__proto__._compile(' console.log("again hacked") ');
// or
Object.getPrototypeOf(module)._compile(' console.log("again hacked") ');

I think better to set module = undefined to make question more complex:)

There are another variant without module🙂

process.stdin.push(' console.log("here we are") \n ');

But it works only in CLI (“repl”)

Also in iojs and in node with version >= 0.11.x you can use contextify binding:

var contextify = process.binding('contextify');
var script = new contextify.ContextifyScript(' console.log("im here, buddy") ');

In node with version < 0.11.x you can use evals binding:

var evals = process.binding('evals');
var script = new evals.NodeScript(' console.log("here I am") ')


module.require = undefined; is not enough as require is inherited from the Module prototype:

module.require = undefined;

var vm = module.__proto__.require('vm');

Instead, you should:

module.__proto__.require = undefined;
// now this fails and you can't use the __proto__ trick:
var vm = module.require('vm');