Safe mode for Lua filters

[jgm]

It would be nice to have something like a "sandboxed" mode in which Lua filters could run. This could be triggered by the existing --sandbox CLI option. What would have to be done to make this possible?

https://github.com/kikito/lua-sandbox gives a model for restricting unsafe functions.
We could modify to taste. In addition to what they exclude, we'd have to remove require, and we'd need special versions of many of the functions pandoc provides (which are basically hooks to code implemented in Haskell). This is a bit awkward, because Lua itself has to run in IO, but in principle we could use sandbox (T.P.Class) to lift pure operations into MonadIO. To avoid inefficiency, we'd probably need to change this function so that it takes an already-constructed FileTree rather than a list of FilePaths as argument. Then we could build the ersatz FileTree once and thread it through.

(Actually, thinking back, I wonder why I didn't implement the sandbox by using a new PandocSandboxed monad that is an instance of MonadIO but doesn't actually do any IO. That could be worth reconsidering.)

Anyway, I just wanted to put this up here so we can collect ideas, or at least catalog obstacles. This is getting more important the more people come to rely on Lua filters to extend pandoc.

PS. A safe mode for regular JSON filters would be impossible to implement; since these filters are separate programs, pandoc cannot control what they do in addition to spitting out JSON. But for Lua filters it does not seem impossible.

[jgm]

I guess one approach could be to introduce a PandocLuaSandboxed monad, which defines sandboxed versions of all the standard functions, and use that instead of PandocLua in sandboxed contexts. That would take care of the Lua functions that wrap functions from T.P.Class. We'd have to deal with things like pipe separately.

[jgm]

@tarleb What if in documentedModule we had defun and defunSafe? (Alternatively, moduleFunctions could be a list of pairs.) Then for each module we'd be keeping track of the safe functions, and the module initialization could simply exclude unsafe functions when in sandboxed mode?

That would take care of all the functions pandoc provides. It would only remain to remove the unsafe native Lua functions from the Lua environment.

[tarleb]

I like that. Maybe we could get rid of the liftPure functions that way, which would even simplify the interface.

[jgm]

Is this worth pursuing for 3.0?

[tarleb]

I suspect that safe Lua is a bit too much work to get it done for 3.0. I can try to squeeze some work on that in, but I'd like to concentrate more on getting the Figure code up-to-date (and hopefully merged).