fix(HeavyButter): add MJS require() module whitelist and permission system (AV-004) by r13xr13 · Pull Request #2521 · BruceDevices/firmware

r13xr13 · 2026-06-08T07:34:25Z

Closes MJS sandbox escape.

…ystem (AV-004) - Add SAFE_MODULES and DANGEROUS_MODULES lists to globals_js.cpp - native_require() now checks whitelist: safe modules always allowed, dangerous modules require __allow() permission - Add native_requireAllow() as __allow() JS global function - Build hidden __module_registry in interpreter.cpp, remove dangerous modules from global scope - Update 12 shipped JS scripts to add __allow() calls before using dangerous modules (storage, wifi, subghz, ir, serial, audio, gpio, badusb) This closes the MJS sandbox escape vulnerability. Downloaded App Store scripts that call require('storage') or require('wifi') without first calling __allow() will receive a TypeError.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(HeavyButter): add MJS require() module whitelist and permission system (AV-004)#2521

fix(HeavyButter): add MJS require() module whitelist and permission system (AV-004)#2521
r13xr13 wants to merge 1 commit into
BruceDevices:mainfrom
r13xr13:fix/mjs-whitelist-heavybutter

r13xr13 commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

r13xr13 commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant