lua: disable lua rules by default

To protect against possible supply chain attacks, disable Lua rules by default. They can be enabled under the "security" section of suricata.yaml. Ticket: #6122
OISF · Jun 14, 2023 · b95bbcc · b95bbcc
1 parent 342e21a
commit b95bbcc
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/src/detect-lua.c b/src/detect-lua.c
@@ -1002,6 +1002,16 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     DetectLuaData *lua = NULL;
     SigMatch *sm = NULL;
 
+    /* First check if Lua rules are enabled, by default Lua in rules
+     * is disabled. */
+    int enabled = 0;
+    (void)ConfGetBool("security.lua.allow-rules", &enabled);
+    if (!enabled) {
+        SCLogError(SC_ERR_NO_LUA_SUPPORT,
+                "Lua rules disabled by security configuration: security.lua.allow-rules");
+        goto error;
+    }
+
     lua = DetectLuaParse(de_ctx, str);
     if (lua == NULL)
         goto error;
@@ -1156,6 +1166,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
 /** \test http buffer */
 static int LuaMatchTest01(void)
 {
+    ConfSetFinal("security.lua.allow-rules", "true");
+
     const char script[] =
         "function init (args)\n"
         "   local needs = {}\n"
@@ -2941,4 +2953,4 @@ void DetectLuaRegisterTests(void)
     UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a);
 }
 #endif
-#endif /* HAVE_LUAJIT */
+#endif /* HAVE_LUAJIT */
diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -1014,6 +1014,11 @@ asn1-max-frames: 256
 #  user: suri
 #  group: suri
 
+security:
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
 #sensor-name: suricata