On Tue, May 7, 2019 at 11:55 PM Soni "They/Them" L. wrote:
Sandbox killer.
I don't believe string.dump should return upvalues.
Returning upvalues would not become a "sandbox killer".
Even if string.dump() does not return upvalues,
when building a sandbox, you MUST modify string.dump() to reject dumping your own functions.
Otherwise all constants used in your functions will be known to untrusted code.
Untrusted code must be limited to dumping only its own functions.
Yes, you should keep a list of your own functions exposed to untrusted code.
For example, when untrusted code invokes
string.dump(your_function),
you should instead invoke the following
string.dump(function(...) return your_function(...) end)
This way, untrusted code could successfully dump and load
your_function() without being able to extract any info about it.
