It's very tempting to write config files that are just Lua scripts that construct tables/strings and call some pre-defined functions. The only problem with this is that a faulty or malicious config file can do a lot more than a config file should be able to do.
This is partially mitigated by not providing any functions in the environment that it doesn't need, but that doesn't prevent someone slipping "while true do end" or (if you provide the string library) ("x"):rep(100000000) into them. (And the latter won't be stopped by a debug hook counting instructions either.) The only way I know of to avoid this is to impose resource limits on the entire process, but that seems like overkill, and Lua doesn't provide a way to do that natively.
Really, there's no need I can see for a config file to ever use a loop, so what if we could just ask Lua "load this file, but throw an error if it contains any loop instructions"? Or, what if we could load the file, string.dump it, and examine the bytecode to see if it has any loops?
I don't really know enough about Lua bytecode to try such a thing. I think it'd be simple enough to scan for backward branches, but that wouldn't avoid creating a loop like:
