How can I run untrusted code safely using Lupa?

Question

I'm working on this project where I am using Python + Lupa to run Lua code. I want to run untrusted Lua code (as a string) within my Python script using lupa.LuaRuntime().eval(). I've looked around to see what I need to do to restrict what this Lua code has access to.

I stumbled upon this old post (https://stackoverflow.com/a/17455485) that shows you how to do it in Lua 5.1 using setfenv():

import lupa
L = lupa.LuaRuntime()
sandbox = L.eval("{}")
setfenv = L.eval("setfenv")

sandbox.print   = L.globals().print
sandbox.math    = L.globals().math
sandbox.string  = L.globals().string
sandbox.foobar  = foobar
# etc...

setfenv(0, sandbox)

L.execute("os.execute('rm -rf *')")

the setfenv function doesn't exist in Lua 5.4, which I'm using. How do you do this in more modern versions of Lua?

I've tried to create a new function (sb_func()) within load() and then call it, but it does nothing

import lupa
L = lupa.LuaRuntime()

sandbox = L.eval("{}")
load = L.eval("load")


sandbox.math = L.globals().math
sandbox.print = L.globals().print

sb_func = load("function sb_func() print('test') return nil end","","t",sandbox)
sb_func

https://www.lua.org/manual/5.4/manual.html chapter 2.2. `_ENV` is what you need afaik, see https://stackoverflow.com/questions/12021461/lua-setfenv-vs-env for more information. — Luke100000, Nov 11 '22 at 11:17

How can I run untrusted code safely using Lupa?

0 Answers0