Let's say I create LuaRuntime with register_eval=False and an attribute_filter that prevents access to anything except a few python functions. Is it safe to assume that lua code won't be able to do os.system("rm -rf *") or something like that?
Asked
Active
Viewed 2,261 times
5
-
1It's probably safer to compile a custom Lua with all I/O libraries and other stuff you'd want to prohibit ripped out. Even then, a DOS attack is easy (just write an infinite loop). – Jul 03 '13 at 17:20
-
@delnan Good point, my current plan is to spawn a separate process and use the `resource` module to limit CPU and RAM usage – ramirami Jul 04 '13 at 13:55
-
In general, only ever execute untrusted code if you life absolutely, positively depended on it. Like, some holds a gun to year head and/or to the heads of your loved ones threatening to shoot if you don't. Just assume that *any* sandbox can be broken out of (and yes, a DoS is even easier). Google Chrome had breakouts. Any VM had breakouts. – Jürgen A. Erhard Jul 03 '16 at 16:21
1 Answers
11
From looking at the Lupa doc:
Restricting Lua access to Python objects
Lupa provides a simple mechanism to control access to Python objects. Each attribute access can be passed through a filter function as follows...
It doesn't say anything about preventing or limiting access to facilities provided by Lua itself. If no other modifications are done to the LuaRuntime environment then a lua script can indeed do something like os.execute("rm -rf *").
To control what kind of environment the lua script works in you can use the setfenv and getfenv to sandbox the script before running it. For example:
import lupa
L = lupa.LuaRuntime()
sandbox = L.eval("{}")
setfenv = L.eval("setfenv")
sandbox.print = L.globals().print
sandbox.math = L.globals().math
sandbox.string = L.globals().string
sandbox.foobar = foobar
# etc...
setfenv(0, sandbox)
Now doing something like L.execute("os.execute('rm -rf *')") will result in a script error.
