[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: disallow interaction with "outside world"
- From: Nagaev Boris <bnagaev@...>
- Date: Thu, 2 Jul 2015 07:16:36 +0000
On Wed, Jul 1, 2015 at 8:00 PM, Nathan Hüsken <nathan.huesken@posteo.de> wrote:
> On 01.07.2015 21:37, Ignacio Burgueño wrote:
>> On Wed, Jul 1, 2015 at 4:27 PM, Nathan Hüsken <nathan.huesken@posteo.de>
>> wrote:
>>
>>> Dear Lua community,
>>>
>>> I am completely new to lua (not to programming) and also to this
>>> community, so hello everyone :-).
>>>
>>
>> Welcome, Nathan.
>> Surely someone more versed on sandboxes will pop soon, but in the meantime,
>> you can search the archives of the mailing list for "sandboxing", because
>> that is an issue that gets regularly discussed.
>
> Ok, cool. That is exactly what I am looking for!
> I might also be targeting the browser. Does sandboxing also work with an
> javascript interpreter like moonshine? I am wondering because as far as
> I can see the way a script is loaded is different.
>
> Thanks!
> Nathan
>
(Unrelated) You can find several Lua implementations in JavaScript and
other cool Lua software [1].
With sandboxing, you can start from [2]. Most difficult things are
isolating 'string' metatable (otherwise its members are available
through any string variable) and prevention of DoS attacks (like
`while true do end`, which can bypass `debug.sethook` on some Lua
implementations).
My own sandbox implementation [3]. In my implementation, 'string'
metatable is isolated at the cost of side effect: when sandboxed code
is called, metatable of all strings is changed. It can break
non-sandboxed code operating with strings called from sandboxed code.
Maybe this can be fixed by providing __index metamethod to that
metatable of 'string' so that 'string' behaves like normal 'string' in
non-sandboxed code called from sandboxed code. This information can be
provided by debug.getinfo. Not implemented yet!
[1] http://getawesomeness.com/get/lua
[2] http://lua-users.org/wiki/SandBoxes
[3] https://github.com/starius/config/blob/master/bin/sandbox.lua
--
Best regards,
Boris Nagaev