lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Have a look at this: https://gist.github.com/pygy/8032764

-- lutn.lua
-- Loads a single Lua expression as a JSON-like file, securely.
-- function expressions are prohibited, and the __index of the
-- strings metatable is temporarily stripped or replaced.

-- see also: ltin

-- usage:
-- lutn = require "lutn"
-- result = lutn(source_string [, environment = nil] [,
string_metatable_index = nil])

-- Pierre-Yves


On Thu, Dec 19, 2013 at 1:43 AM, Rena <hyperhacker@gmail.com> wrote:
> It's very tempting to write config files that are just Lua scripts that
> construct tables/strings and call some pre-defined functions. The only
> problem with this is that a faulty or malicious config file can do a lot
> more than a config file should be able to do.
>
> This is partially mitigated by not providing any functions in the
> environment that it doesn't need, but that doesn't prevent someone slipping
> "while true do end" or (if you provide the string library)
> ("x"):rep(100000000) into them. (And the latter won't be stopped by a debug
> hook counting instructions either.) The only way I know of to avoid this is
> to impose resource limits on the entire process, but that seems like
> overkill, and Lua doesn't provide a way to do that natively.
>
> Really, there's no need I can see for a config file to ever use a loop, so
> what if we could just ask Lua "load this file, but throw an error if it
> contains any loop instructions"? Or, what if we could load the file,
> string.dump it, and examine the bytecode to see if it has any loops?
>
> I don't really know enough about Lua bytecode to try such a thing. I think
> it'd be simple enough to scan for backward branches, but that wouldn't avoid
> creating a loop like:
> function f() f() end; f()
> or even chaining a few functions together to avoid simple detection. But
> config files usually shouldn't have any need to create functions, either...
>
> I think by disallowing loops and the creation of functions, and being
> careful what you provide in the environment, it could be safe to have your
> config files be Lua source files, and load them without any resource limits.
>
> --
> Sent from my Game Boy.