I did answer directly: this exploit requires run permission with any argument and write permission to any directory. It allows malicious script to escape sandbox and execute arbitrary code outside of it.
> this exploit requires run permission with any argument and write permission to any directory. It allows malicious script to escape sandbox and execute arbitrary code outside of it.
I suppose you wrote something wrong here and I'm interested in knowing what.
Because as it stands now I read it falls down to: "If you open the permission system up extremely wide you can get exploited."
Alternatively, after thinking for a couple of minutes I can read it as "if you simultaneously allow run permission with anything and write permission with anything".
In the last case it is slightly more problematic, but if one allows a script to execute anything that is itself a huge red flag.
... and on Node this red flag is always flying by default.
I suppose you wrote something wrong here and I'm interested in knowing what.
Because as it stands now I read it falls down to: "If you open the permission system up extremely wide you can get exploited."
Alternatively, after thinking for a couple of minutes I can read it as "if you simultaneously allow run permission with anything and write permission with anything".
In the last case it is slightly more problematic, but if one allows a script to execute anything that is itself a huge red flag.
... and on Node this red flag is always flying by default.