saltimbanc
saltimbanc
@mgesmundo That will not be enough, you could use `'1 + 1 } { return global.process.env.LOGNAME'` (or any other preceding valid JavaScript before the first closing curly bracket) to bypass...
@mgesmundo That RegExp matches valid code, something like `function one(){return "something"}function two(){return "another thing"}`, also, you can break it by using a new line between the opening and closing brackets,...
@natarius Probably. This exploit uses invalid syntax so I guess the code will not be transpiled.
@mgesmundo You can break that RegExp using `"{";}"";{` Full example: `"{";}"";{ return global.process.env.LOGNAME`