lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Thanks for the quick reply, can you please explain what do you mean by: 'make a sandboxed copy of _G with allowed functions'

On Wed, Jan 19, 2022 at 3:51 PM Spar <developspartv@gmail.com> wrote:
How will it increase the memory usage?
If you mean they can put garbage in their own env table, they could do it with locals too. But speaking about the global table, you can just create one empty table, set metamethod to restrict assigning to it. __index will grab values from _G.
If you want to prevent them from changing this, make a sandboxed copy of _G with allowed functions
On 19 Jan 2022, 16:46 +0300, Meir Shpilraien <meir@redis.com>, wrote:
This is option number 2 I listed. But it will potentially increase memory usage. I would prefer not to allow scripts to create any globals (and somehow force it to make sure scripts can not bypass it).

On Wed, Jan 19, 2022 at 3:39 PM Spar <developspartv@gmail.com> wrote:
How other scripts are run? If you do it from C API you can set environment for each compiled script. On lua side you can use setfenv
On 19 Jan 2022, 16:36 +0300, Meir Shpilraien <meir@redis.com>, wrote:
Hi everyone,

I was wondering what is the recommended way to disallow script changing the global table. The problem I am facing, assuming I provide for example an api to the users, A1, another user can do: 'A1=function ... end', and override my implementation of A1 and cause all other users to run his code.

I can think of multiple ways:
1. Create a lua vm per script - this requires a lot of memory
2. Different environments per script - also might require a lot of memory
3. Make the global table a Readonly tables as described here: http://lua-users.org/wiki/ReadOnlyTables, though in this way user can use rawset to bypass it, and I can not use a userdata to avoid it because I can not set a usedata as a global table (and I do not want to disallow rawset).

Is there any other way to lock the global table from any changes?

I am using lua 5.1.5.

Thanks.


Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.



Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.



Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.