Hi Sean,
Regarding your question, it seems to me that the whitelist should
include (a) functions that the loaded code invokes, directly or
indirectly; (b) functions that get called by the interpreter in the
process of running the loaded code (e.g. functions that intercept
errors in the loaded code).
In other words, the loaded code should not be blocked just because the
interpeter called its own functions in the process of interpreting the
loaded code.
---
In any case, I tried your idea, after first modifying the snippet so
that it looks more like a sandbox.
#!/usr/bin/env lua5.3
local loaded_chunk = assert(load('nonexistent()', "=(load)", "t", {}))
local whitelist = {
[loaded_chunk] = true,
[pcall] = true,
[assert] = true,
-- ... other allowed functions
}
local function callhook ()
local info = debug.getinfo(2, "fnS")
if not whitelist[info.func] then
error(string.format("calling disallowed function (%s:%d): %s (%s)",
info.short_src,
info.linedefined,
(
info.name or "?"),
info.func))
end
end
debug.sethook(callhook, "c")
assert(pcall(loaded_chunk))
Now, the snippet fails with
lua5.3: ./snippet.lua:12: calling disallowed function ([C]:-1): ? (function: 0x56179333bef0)
stack traceback:
[C]: in function 'error'
./snippet.lua:12: in function <./snippet.lua:9>
[C]: in ?
[C]: in function 'assert'
./snippet.lua:20: in main chunk
[C]: in ?
Again, the nature of the underlying error (the attempt to call
nonexistent) gets obscured. Instead, we get a `calling disallowed
function` error, which is not entirely accurate.
Thank you once more,
kj
