lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Christian Tellefsen wrote:
> Jim Whitehead II wrote:
>> Keep in mind that for certain C functions (like string.find) won't
>> call your debug hook in them, so a user script can still tie up the
>> system in what appears to be an infinite loop, but really is just code
>> that takes a long time to run (all without your hook being called).
>> - Jim
> OK, thanks, I'll keep that in mind, or maybe I'll just remove access to
> that function.

That's not really a solution, to be honest. There are other functions
with this problem as well. In addition, there are also things you can't
remove that will result in your hook rarely being called.

A few examples:

string.rep("s", 2^30) -- Removable, but probably a bad idea

-- Problematic if it can loop enough times:
local s = "aaaaaaaaaaaaaaaa";
while true do
  s = s .. s;

The second is a more severe problem because it's the concatenation that
will take a long time (at later iterations, e.g., around the 5th+). If
your limits are set low enough, this won't be a problem because that
iteration can't be reached. But if your limits aren't low enough, and
those iterations are reachable, you're going to encounter a problem in
that the concatenation operation can take a very long time.

These are just a few examples of what came across various Lua bots that
have been tested for security. Generally the premium solution has been
in one of two forms:

(1) Use ulimit to control CPU usage (not portable)
(2) Use a second thread through a library like lualanes to monitor the
progression of the execution thread, and terminate it after a known time

Neither of these, however, are Lua-only solutions.

Matthew P. Del Buono