2

I'm making an IRC bot in C#, and want to have Lua be executable via a command. I already have this working, and have overcome some basic obstacles, but now I'm having a larger problem with a StackOverflowException; My friend gave me some Lua code to run, which every time seems to cause a StackOverflowException, no matter how hard I try to prevent it.

print(string.find(string.rep("a", 2^20), string.rep(".?", 2^20)))

So, with this being executed using LuaInterface (LuaInterface 2.0.0.16708 to be precise) - I get a StackOverflowException in my code and I don't seem to be able to fix this, looking at some previous questions.

I know parsing code before executing it to predict stack overflows is hard, so I don't know how I would circumvent this. I have already tried multi-threading (which solved a previous problem where yielding code wouldn't return control back to C#) but this does not seem to help.

Digpoe
  • 23
  • 2
  • What is that code segment supposed to do? Doing pattern matching with a 2MB pattern is not going to perform well, and that pattern simply matches all strings up to 1MB in size, so its not even useful. – Colonel Thirty Two Jul 01 '14 at 21:50
  • I noticed that, but that appears to create a stack overflow, which crashes my program. I don't know what the code is meant to do either - I just told some people in the IRC channel I was in to run some snippets of code, to see if they could break it, and one of them happened to do that. – Digpoe Jul 01 '14 at 21:53
  • 2
    Oh, so you want to sandbox your program against code such as this? Well, that's not a trivial task. There's lots of things that you need to protect against, such as infinite loops, access to IO/system calls, etc. – Colonel Thirty Two Jul 01 '14 at 22:02
  • That's the problem - I don't want to really go down that route due to how many ways it can be done in Lua. If I did manage to do it, I would more than likely remove half of the use of the language. I guess I'll just have to give fair warning to the users of my bot that the Lua command is unstable and could cause a crash? – Digpoe Jul 01 '14 at 22:13
  • 1
    Well, what if a user did `os.system("rm -rf /")` or some other malicious command? You'll have far more to worry about than a crash. – Colonel Thirty Two Jul 01 '14 at 22:16
  • I already disabled the os library entirely; I could forsee something like that happening anyway. :P – Digpoe Jul 01 '14 at 22:17

1 Answers1

0

To get around that particular error use Lua 5.2.2 or newer. The case is a reported bug that got fixed in the version 5.2.2. It gives "pattern too complex" error instead.

And as far as sandboxing is concered why not fashion it after the Lua live demo as suggested in this SO answer? I don't know how secure it is but I'd presume the authors have both the incentive and capability of making it as secure as possible. The sources can be found from here.

Community
  • 1
  • 1
pico
  • 1,349
  • 2
  • 10
  • 15
  • Darn! I was trying to avoid this because of _ENV; I prefer getfenv and setfenv and I'm sure the people I know do too. – Digpoe Jul 03 '14 at 17:41
  • Heh, life is just a string of choices you are forced to make :) – pico Jul 04 '14 at 08:00