lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On Wed, Aug 7, 2019 at 12:22 AM Sean Conner <sean@conman.org> wrote:
It was thus said that the Great Kynn Jones once stated:
> Regarding your question, it seems to me that the whitelist should
> include (a) functions that the loaded code invokes, directly or
> indirectly; (b) functions that get called by the interpreter in the
> process of running the loaded code (e.g. functions that intercept
> errors in the loaded code).

Let me elaborate on this a bit.  What I meant to say is that the
functions included in the whitelist can be classified into two groups.

The first group consists of functions that we have included in the
whitelist because we consider them integral to what we have decided to
allow the loaded code to do (for example perform mathematical
operations); these are functions that the loaded code invokes directly
or indirectly.

The second group of functions in the whitelist are other functions,
which are *not* invoked directly or indirectly by the loaded code, but
that get called nonetheless by the Lua interpreter in the process of
running the loaded code.  These include functions that get invoked
when the loaded code has a runtime error.

For example, if functions A and B are defined as

    function A (x) return B(x) end

    function B (x) return math.random(x) end

...and the loaded code is the string 'print(A(1/0))', then `print`,
`A`, and integer division are being *directly* invoked by the loaded
code, while `B` and `math.random` are being *indirectly* invoked by
the loaded code.

On the other hand, the "unnamed code X" responsible for catching the
ensuing error

    bad argument #1 to 'random' (number has no integer representation)

...and printing the useful error message for it is not being invoked,
either directly or indirectly (at least according to the way I'm
defining these terms here), by the loaded code.  Nevertheless, this
"unnamed code X" is carrying out Lua's desired behavior, and should
not be disallowed by the sandbox.  In other words, the functions in
"unnamed code X" should be in included in the whitelist.

My only point is that, in order to put the whitelisting idea into
practice, one needs to be able to include in the whitelist functions
belonging to either of the two categories described above.

Currently I know how to include functions of the first category in the
whitelist, not those of the second category.  Maybe the
whitelist-based sandbox idea can only be implemented properly in C?

kj