lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Sun, May 3, 2015 at 5:40 PM, Nagaev Boris <bnagaev@gmail.com> wrote:
> On Sun, May 3, 2015 at 5:06 PM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
>> 2015-05-03 18:40 GMT+02:00 Nagaev Boris <bnagaev@gmail.com>:
>>> On Sun, May 3, 2015 at 4:35 PM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
>>>>
>>>> You can put a function in the "string" table and it will immediately
>>>> be callable with object-oriented syntax on a string object just like
>>>> str:format etc. Since the first argument is provided, that function
>>>> can itself pick out a submethod from a table of functions.
>>>>
>>>
>>> Changing global metatable of all strings does not sound good. If all
>>> strings had same methods, then methods added to UrlString, would also
>>> be available to normal strings. It is confusing and it breaks idea of
>>> sandboxes, because sandboxed code can apply UrlString's methods to
>>> malicious strings.
>>
>> If the methods were all provided by the sandbox author, who presumably
>> knows what he is doing, I don't see the problem.
>>
>
> Can a sandbox isolate added string's methods? Can you provide
> sandboxing function passing this test:
>
> string.hack = function() print("Hacked") end
> code = [[ ("just string"):hack() ]]
> sandbox(code)
>

Can I secure a sandbox by replacing all items of string table before
calling sandboxed function and restoring them back afterwards? I'm
trying to apply this approach in my sandbox module [1]. Testing (and
breaking) it is welcome. Test file is [2]. Currently it checks that
string's members are not exposed to sandbox only.

[1] https://github.com/starius/config/blob/master/bin/sandbox.lua#L68
[2] https://github.com/starius/config/blob/master/bin/sandbox_test.lua

-- 


Best regards,
Boris Nagaev