[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: disallow interaction with "outside world"
- From: Rena <hyperhacker@...>
- Date: Thu, 2 Jul 2015 04:56:40 -0400
On Thu, Jul 2, 2015 at 3:16 AM, Nagaev Boris <bnagaev@gmail.com> wrote:
> On Wed, Jul 1, 2015 at 8:00 PM, Nathan Hüsken <nathan.huesken@posteo.de> wrote:
>> On 01.07.2015 21:37, Ignacio Burgueño wrote:
>>> On Wed, Jul 1, 2015 at 4:27 PM, Nathan Hüsken <nathan.huesken@posteo.de>
>>> wrote:
>>>
>>>> Dear Lua community,
>>>>
>>>> I am completely new to lua (not to programming) and also to this
>>>> community, so hello everyone :-).
>>>>
>>>
>>> Welcome, Nathan.
>>> Surely someone more versed on sandboxes will pop soon, but in the meantime,
>>> you can search the archives of the mailing list for "sandboxing", because
>>> that is an issue that gets regularly discussed.
>>
>> Ok, cool. That is exactly what I am looking for!
>> I might also be targeting the browser. Does sandboxing also work with an
>> javascript interpreter like moonshine? I am wondering because as far as
>> I can see the way a script is loaded is different.
>>
>> Thanks!
>> Nathan
>>
>
> (Unrelated) You can find several Lua implementations in JavaScript and
> other cool Lua software [1].
>
> With sandboxing, you can start from [2]. Most difficult things are
> isolating 'string' metatable (otherwise its members are available
> through any string variable) and prevention of DoS attacks (like
> `while true do end`, which can bypass `debug.sethook` on some Lua
> implementations).
>
> My own sandbox implementation [3]. In my implementation, 'string'
> metatable is isolated at the cost of side effect: when sandboxed code
> is called, metatable of all strings is changed. It can break
> non-sandboxed code operating with strings called from sandboxed code.
> Maybe this can be fixed by providing __index metamethod to that
> metatable of 'string' so that 'string' behaves like normal 'string' in
> non-sandboxed code called from sandboxed code. This information can be
> provided by debug.getinfo. Not implemented yet!
>
>
> [1] http://getawesomeness.com/get/lua
> [2] http://lua-users.org/wiki/SandBoxes
> [3] https://github.com/starius/config/blob/master/bin/sandbox.lua
>
>
> --
>
>
> Best regards,
> Boris Nagaev
>
I'd be surprised if "while true do end" can break debug hooks, since
it's not making any C calls. Any time you make a C function available
though (such as string.rep) you have to watch out that the user can't
abuse it to overwhelm your app, e.g. with string.rep("a", 99999999) or
("a"):rep(9999):rep(9999):rep(9999):rep(9999)...
--
Sent from my Game Boy.