lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 12/03/17 04:16 PM, Rain Gloom wrote:
TLDR: just like we can disable bytecode loading, we should be able to disable certain language constructs, creating fully sandboxed configs

The biggest problem that simple _ENV sandboxing can't avoid is infinitely long running code, one would need either the debug library to block a script after N instructions or use their own parser.

In more detail, what can pose the biggest problems are loops and recursions. The latter can be hacked around with `debug.sethook` but loops require either bytecode inspection, a custom parser or a simple token based checking algorithm.

Bytecodes are not portable and a full parser is unnecessarily big if the author just wants to block a few language constructs.

I am not sure how well a token parser would work, it is still too complicated imo, even if it does not mean two parsers running at once doing the same thing, it is still a pointless duplication of effort.

My solution would to add more option to the `load()` functions that could manipulate what the parser should accept. The recursion problem is a bit more difficult, based on my understanding of Lua, it would either have to hook in at the compiler level, but that is only feasible when recurring on locally defined functions, as expecting the compiler to figure out if passing the local function to another would mean that the other function would somehow call that first function and end up in some weird recursion would be too much work (complex graph analysis would have to be involved to make it correct).

So recursion is really best solved with `debug.sethook` and inspecting each call event to determine if the function is already on the stack.

So, what are everyone's thoughts? Is this actually a problem in the wild?

I once used a deserializer to deserialize something like this:

local t = {}
local function _(wait, ...)
  for i=1,wait do
-- etc
return t

Since I was serializing events(?) and I needed to do some minor (de)compression for a few events here and there because of limited disk space.

(It was so long ago that I actually forgot what it was for (or what the code was). Oops.)

Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.