Define custom Error.prepareStackTrace

CHANGELOG.yaml

@@ -1,3 +1,7 @@
+unreleased:
+  fixed bugs:
+    - GH-907 Defined `Error.prepareStackTrace` to prevent stack trace pollution
+
 4.2.4:
   date: 2023-03-10
   fixed bugs:

lib/sandbox/index.js

@@ -54,6 +54,22 @@
         // @note this deletes the constructor as well to make sure one can't recreate the same scope
         contextObject = Object.getPrototypeOf(contextObject);
     } while (contextObject && contextObject.constructor !== Object);
+
+    // define custom Error.prepareStackTrace
+    Object.defineProperty(Error, 'prepareStackTrace', {
+        value: function (error, structuredStackTrace) {
+            const errorString = error.toString();
+
+            if (Array.isArray(structuredStackTrace) && !structuredStackTrace.length) {
+                return errorString;
+            }
+
+            return `${errorString}\n    at ${structuredStackTrace.join('\n    at ')}`;
+        },
+        configurable: false,
+        enumerable: false,
+        writable: false
+    });
 }());
 
 // do include json purse

test/unit/sandbox-sanity.test.js

@@ -57,6 +57,24 @@ describe('sandbox', function () {
         });
     });
 
+    it('should not be able to mutate Error.prepareStackTrace', function (done) {
+        Sandbox.createContext(function (err, ctx) {
+            if (err) { return done(err); }
+            ctx.on('error', done);
+
+            ctx.execute(`
+                var assert = require('assert');
+                var fn = Error.prepareStackTrace;
+
+                Error.prepareStackTrace = () => {};
+                assert.equal(Error.prepareStackTrace, fn);
+
+                var err = new Error('Test');
+                assert.equal(err.stack.split('\\n')[0], 'Error: Test');
+            `, done);
+        });
+    });
+
     it('should not have access to global properties', function (done) {
         Sandbox.createContext({ debug: true }, function (err, ctx) {
             if (err) { return done(err); }