fix: prevent sandbox escape via Symbol.for cross-realm symbols (#553)

* fix: prevent sandbox escape via Symbol.for cross-realm symbols

* fix: prevent Symbol.for bypass via hasOwnProperty override

* fix: prevent Symbol.for bypass via object key coercion

* fix: prevent cross-realm symbol extraction via Object.getOwnPropertySymbols

* fix: prevent cross-realm symbol extraction via spread operator on bridge proxies

Author: patriksimek

lib/bridge.js

@@ -104,6 +104,11 @@ const thisSymbolToString = Symbol.prototype.toString;
 const thisSymbolToStringTag = Symbol.toStringTag;
 const thisSymbolIterator = Symbol.iterator;
 const thisSymbolNodeJSUtilInspectCustom = Symbol.for('nodejs.util.inspect.custom');
+const thisSymbolNodeJSRejection = Symbol.for('nodejs.rejection');
+
+function isDangerousCrossRealmSymbol(key) {
+	return key === thisSymbolNodeJSUtilInspectCustom || key === thisSymbolNodeJSRejection;
+}
 
 /**
  * VMError.
@@ -380,6 +385,8 @@ function createBridge(otherInit, registerProxy) {
 			}
 			for (let i = 0; i < keys.length; i++) {
 				const key = keys[i]; // @prim
+				// Skip dangerous cross-realm symbols
+				if (isDangerousCrossRealmSymbol(key)) continue;
 				let desc;
 				try {
 					desc = otherSafeGetOwnPropertyDescriptor(object, key);
@@ -519,6 +526,8 @@ function createBridge(otherInit, registerProxy) {
 
 		getOwnPropertyDescriptor(target, prop) {
 			// Note: target@this(unsafe) prop@prim throws@this(unsafe)
+			// Filter dangerous cross-realm symbols to prevent extraction
+			if (isDangerousCrossRealmSymbol(prop)) return undefined;
 			const object = this.getObject(); // @other(unsafe)
 			let desc; // @other(safe)
 			try {
@@ -628,6 +637,8 @@ function createBridge(otherInit, registerProxy) {
 
 		has(target, key) {
 			// Note: target@this(unsafe) key@prim throws@this(unsafe)
+			// Filter dangerous cross-realm symbols
+			if (isDangerousCrossRealmSymbol(key)) return false;
 			const object = this.getObject(); // @other(unsafe)
 			try {
 				return otherReflectHas(object, key) === true;
@@ -659,7 +670,22 @@ function createBridge(otherInit, registerProxy) {
 			} catch (e) { // @other(unsafe)
 				throw thisFromOtherForThrow(e);
 			}
-			return thisFromOther(res);
+			// Filter dangerous cross-realm symbols to prevent extraction via spread operator
+			const keys = thisFromOther(res);
+			const filtered = [];
+			for (let i = 0; i < keys.length; i++) {
+				const key = keys[i];
+				if (!isDangerousCrossRealmSymbol(key)) {
+					thisReflectDefineProperty(filtered, filtered.length, {
+						__proto__: null,
+						value: key,
+						writable: true,
+						enumerable: true,
+						configurable: true
+					});
+				}
+			}
+			return filtered;
 		}
 
 		preventExtensions(target) {

lib/setup-sandbox.js

@@ -25,13 +25,143 @@ const {
 	has: localReflectHas,
 	defineProperty: localReflectDefineProperty,
 	setPrototypeOf: localReflectSetPrototypeOf,
-	getOwnPropertyDescriptor: localReflectGetOwnPropertyDescriptor
+	getOwnPropertyDescriptor: localReflectGetOwnPropertyDescriptor,
+	ownKeys: localReflectOwnKeys
 } = localReflect;
 
+const localObjectGetOwnPropertySymbols = localObject.getOwnPropertySymbols;
+const localObjectGetOwnPropertyDescriptors = localObject.getOwnPropertyDescriptors;
+const localObjectAssign = localObject.assign;
+
 const speciesSymbol = Symbol.species;
 const globalPromise = global.Promise;
 class localPromise extends globalPromise {}
 
+/*
+ * Symbol.for protection
+ *
+ * Certain Node.js cross-realm symbols can be exploited for sandbox escapes:
+ *
+ * - 'nodejs.util.inspect.custom': Called by util.inspect with host's inspect function as argument.
+ *   If sandbox defines this on an object passed to host APIs (e.g., WebAssembly.compileStreaming),
+ *   Node's error handling calls the custom function with host context, enabling escape.
+ *
+ * - 'nodejs.rejection': Called by EventEmitter on promise rejection with captureRejections enabled.
+ *   The handler receives error objects that could potentially leak host context.
+ *
+ * Fix: Override Symbol.for to return sandbox-local symbols for dangerous keys instead of cross-realm
+ * symbols. This prevents Node.js internals from recognizing sandbox-defined symbol properties while
+ * preserving cross-realm behavior for other symbols.
+ */
+const originalSymbolFor = Symbol.for;
+const blockedSymbolCustomInspect = Symbol('nodejs.util.inspect.custom');
+const blockedSymbolRejection = Symbol('nodejs.rejection');
+
+Symbol.for = function(key) {
+	// Convert to string once to prevent toString/toPrimitive bypass and TOCTOU attacks
+	const keyStr = '' + key;
+	if (keyStr === 'nodejs.util.inspect.custom') {
+		return blockedSymbolCustomInspect;
+	}
+	if (keyStr === 'nodejs.rejection') {
+		return blockedSymbolRejection;
+	}
+	return originalSymbolFor(keyStr);
+};
+
+/*
+ * Cross-realm symbol extraction protection
+ *
+ * Even with Symbol.for overridden, cross-realm symbols can be extracted from
+ * host objects exposed to the sandbox (e.g., Buffer.prototype) via:
+ *   Object.getOwnPropertySymbols(Buffer.prototype).find(s => s.description === 'nodejs.util.inspect.custom')
+ *
+ * Fix: Override Object.getOwnPropertySymbols and Reflect.ownKeys to replace
+ * dangerous cross-realm symbols with sandbox-local equivalents in results.
+ */
+const realSymbolCustomInspect = originalSymbolFor('nodejs.util.inspect.custom');
+const realSymbolRejection = originalSymbolFor('nodejs.rejection');
+
+function isDangerousSymbol(sym) {
+	return sym === realSymbolCustomInspect || sym === realSymbolRejection;
+}
+
+localObject.getOwnPropertySymbols = function getOwnPropertySymbols(obj) {
+	const symbols = apply(localObjectGetOwnPropertySymbols, localObject, [obj]);
+	const result = [];
+	let j = 0;
+	for (let i = 0; i < symbols.length; i++) {
+		if (typeof symbols[i] !== 'symbol' || !isDangerousSymbol(symbols[i])) {
+			localReflectDefineProperty(result, j++, {
+				__proto__: null,
+				value: symbols[i],
+				writable: true,
+				enumerable: true,
+				configurable: true
+			});
+		}
+	}
+	return result;
+};
+
+localReflect.ownKeys = function ownKeys(obj) {
+	const keys = apply(localReflectOwnKeys, localReflect, [obj]);
+	const result = [];
+	let j = 0;
+	for (let i = 0; i < keys.length; i++) {
+		if (typeof keys[i] !== 'symbol' || !isDangerousSymbol(keys[i])) {
+			localReflectDefineProperty(result, j++, {
+				__proto__: null,
+				value: keys[i],
+				writable: true,
+				enumerable: true,
+				configurable: true
+			});
+		}
+	}
+	return result;
+};
+
+/*
+ * Object.getOwnPropertyDescriptors uses the internal [[OwnPropertyKeys]] which
+ * bypasses our Reflect.ownKeys override. The result object has dangerous symbols
+ * as property keys, which can then be leaked via Object.assign/Object.defineProperties
+ * to a Proxy whose set/defineProperty trap captures the key.
+ */
+localObject.getOwnPropertyDescriptors = function getOwnPropertyDescriptors(obj) {
+	const descs = apply(localObjectGetOwnPropertyDescriptors, localObject, [obj]);
+	localReflectDeleteProperty(descs, realSymbolCustomInspect);
+	localReflectDeleteProperty(descs, realSymbolRejection);
+	return descs;
+};
+
+/*
+ * Object.assign uses internal [[OwnPropertyKeys]] on source objects, bypassing our
+ * Reflect.ownKeys override. If a source (bridge proxy) has an enumerable dangerous-symbol
+ * property, the symbol is passed to the target's [[Set]] which could be a user Proxy trap.
+ */
+localObject.assign = function assign(target) {
+	if (target === null || target === undefined) {
+		throw new LocalError('Cannot convert undefined or null to object');
+	}
+	const to = localObject(target);
+	for (let s = 1; s < arguments.length; s++) {
+		const source = arguments[s];
+		if (source === null || source === undefined) continue;
+		const from = localObject(source);
+		const keys = apply(localReflectOwnKeys, localReflect, [from]);
+		for (let i = 0; i < keys.length; i++) {
+			const key = keys[i];
+			if (typeof key === 'symbol' && isDangerousSymbol(key)) continue;
+			const desc = apply(localReflectGetOwnPropertyDescriptor, localReflect, [from, key]);
+			if (desc && desc.enumerable === true) {
+				to[key] = from[key];
+			}
+		}
+	}
+	return to;
+};
+
 const resetPromiseSpecies = (p) => {
 	if (p instanceof globalPromise && ![globalPromise, localPromise].includes(p.constructor[speciesSymbol])) {
 		Object.defineProperty(p.constructor, speciesSymbol, { value: localPromise });

test/vm.js

@@ -1294,6 +1294,159 @@ describe('VM', () => {
 		`), /process is not defined/);
 	});
 
+	it('Symbol.for dangerous Node.js symbols isolation', () => {
+		// Certain Node.js cross-realm symbols can be exploited for sandbox escapes:
+		// - 'nodejs.util.inspect.custom': Called by util.inspect with host's inspect function
+		// - 'nodejs.rejection': Called by EventEmitter on promise rejection
+		//
+		// Fix: These symbols return sandbox-local versions instead of cross-realm symbols,
+		// so Node.js internals won't recognize sandbox-defined symbol properties.
+		const vm2 = new VM();
+
+		// These dangerous symbols should be isolated (sandbox gets different symbol than host)
+		const dangerousSymbols = [
+			'nodejs.util.inspect.custom',
+			'nodejs.rejection'
+		];
+
+		for (const key of dangerousSymbols) {
+			const hostSymbol = Symbol.for(key);
+			const sandboxSymbol = vm2.run(`Symbol.for('${key}')`);
+
+			assert.notStrictEqual(
+				sandboxSymbol,
+				hostSymbol,
+				`Sandbox Symbol.for("${key}") should return a different symbol than host`
+			);
+		}
+
+		// Other symbols should still work cross-realm (backwards compatibility)
+		const safeSymbols = ['foo', 'bar', 'some.random.key'];
+		for (const key of safeSymbols) {
+			const hostSymbol = Symbol.for(key);
+			const sandboxSymbol = vm2.run(`Symbol.for('${key}')`);
+
+			assert.strictEqual(
+				sandboxSymbol,
+				hostSymbol,
+				`Symbol.for("${key}") should still work cross-realm`
+			);
+		}
+	});
+
+	it('Symbol extraction via Object.getOwnPropertySymbols on host objects', () => {
+		// The cross-realm symbol can be obtained from host objects like Buffer.prototype
+		// via Object.getOwnPropertySymbols, bypassing the Symbol.for override entirely.
+		const vm2 = new VM();
+
+		// Attempt to extract the real cross-realm symbol from Buffer.prototype
+		const extractedSymbol = vm2.run(`
+			const symbols = Object.getOwnPropertySymbols(Buffer.prototype);
+			symbols.find(s => s.description === 'nodejs.util.inspect.custom');
+		`);
+
+		assert.strictEqual(
+			extractedSymbol,
+			undefined,
+			'Dangerous cross-realm symbols should be filtered from Object.getOwnPropertySymbols results'
+		);
+
+		// Also verify Reflect.ownKeys doesn't leak the real symbol
+		const extractedViaReflect = vm2.run(`
+			const keys = Reflect.ownKeys(Buffer.prototype);
+			keys.find(k => typeof k === 'symbol' && k.description === 'nodejs.util.inspect.custom');
+		`);
+
+		assert.strictEqual(
+			extractedViaReflect,
+			undefined,
+			'Dangerous cross-realm symbols should be filtered from Reflect.ownKeys results'
+		);
+
+		// Verify Array.prototype monkey-patching can't bypass the filter
+		const vm3 = new VM();
+		const extractedWithSplicePatch = vm3.run(`
+			Array.prototype.splice = function() { /* no-op */ };
+			const symbols2 = Object.getOwnPropertySymbols(Buffer.prototype);
+			symbols2.find(s => typeof s === 'symbol' && s.description === 'nodejs.util.inspect.custom');
+		`);
+
+		assert.strictEqual(
+			extractedWithSplicePatch,
+			undefined,
+			'Array.prototype.splice override should not bypass symbol filtering'
+		);
+
+		// Verify Object.getOwnPropertyDescriptors filters dangerous symbols from result
+		const vm4 = new VM();
+		const descs = vm4.run(`Object.getOwnPropertyDescriptors(Buffer.prototype)`);
+		const hostInspectSymbol = Symbol.for('nodejs.util.inspect.custom');
+
+		assert.strictEqual(
+			hostInspectSymbol in descs,
+			false,
+			'Object.getOwnPropertyDescriptors should not include dangerous symbol keys in result'
+		);
+
+		// Verify Object.assign doesn't copy dangerous symbol-keyed properties
+		const vm5 = new VM();
+		const assigned = vm5.run(`
+			const target = {};
+			Object.assign(target, Buffer.prototype);
+			target;
+		`);
+
+		assert.strictEqual(
+			hostInspectSymbol in assigned,
+			false,
+			'Object.assign should not copy dangerous symbol-keyed properties'
+		);
+	});
+
+	it('Symbol extraction via spread operator on host objects', () => {
+		// The spread operator {...obj} calls [[OwnPropertyKeys]] internally,
+		// which invokes the proxy's ownKeys trap directly, bypassing any
+		// Reflect.ownKeys override in the sandbox.
+		const vm2 = new VM();
+		const hostInspectSymbol = Symbol.for('nodejs.util.inspect.custom');
+
+		// Verify spread operator doesn't copy dangerous symbol-keyed properties
+		const spread = vm2.run(`
+			const spread = {...Buffer.prototype};
+			spread;
+		`);
+
+		assert.strictEqual(
+			hostInspectSymbol in spread,
+			false,
+			'Spread operator should not copy dangerous symbol-keyed properties from host objects'
+		);
+
+		// Verify the full attack doesn't work
+		const vm3 = new VM();
+		const attackResult = vm3.run(`
+			const {...inspectDesc} = Buffer.prototype;
+			for (const k in inspectDesc) delete inspectDesc[k];
+
+			// If the dangerous symbol leaked, inspectDesc would have a symbol key
+			// with a function value that Object.defineProperties would interpret
+			let hasSymbolKey = false;
+			const symbols = Object.getOwnPropertySymbols(inspectDesc);
+			for (let i = 0; i < symbols.length; i++) {
+				if (symbols[i].description === 'nodejs.util.inspect.custom') {
+					hasSymbolKey = true;
+				}
+			}
+			hasSymbolKey;
+		`);
+
+		assert.strictEqual(
+			attackResult,
+			false,
+			'Dangerous symbol should not be extractable via spread operator'
+		);
+	});
+
 	it('Function.prototype.call attack via Promise', async () => {
 		const vm2 = new VM();
 		// This attack attempts to override Function.prototype.call to capture