Skip to content

feat: cloud-query lua tool#3585

Merged
zreigz merged 4 commits into
masterfrom
lukasz/prod-4858-cloud-query-lua-tool
May 21, 2026
Merged

feat: cloud-query lua tool#3585
zreigz merged 4 commits into
masterfrom
lukasz/prod-4858-cloud-query-lua-tool

Conversation

@zreigz

@zreigz zreigz commented May 21, 2026

Copy link
Copy Markdown
Member

Test Plan

Test environment: https://console.your-env.onplural.sh/

Checklist

  • I have added a meaningful title and summary to convey the impact of this PR to a user.
  • If required, I have updated the Plural documentation accordingly.
  • I have added tests to cover my changes.
  • I have deployed the agent to a test environment and verified that it works as expected (required only when changing agent code).
    • Agent starts successfully.
    • Service creation works without any issues when using raw manifests and Helm templates.
    • Service creation works when resources contain both CRD and CRD instances.
    • Service templating works correctly.
    • Service errors are reported properly and visible in the UI.
    • Service updates are reflected properly in the cluster.
    • Service resync triggers immediately and works as expected.
    • Sync waves annotations are respected.
    • Sync phases annotations are respected. Phases are executed in the correct order.
    • Sync hook delete policies are respected. Resources are not recreated once they reach the desired state.
    • Service deletion works and cleanups resources properly.
    • Services can be recreated after deletion.
    • Service detachment works and keeps resources unaffected.
    • Services can be recreated after detachment.
    • Service component trees are working as expected.
    • Cluster health statuses are being updated.
    • Agent logs do not contain any errors (after running for at least 30 minutes).
    • There are no visible anomalies in Datadog (after running for at least 30 minutes).

Plural Flow: console

@linear

linear Bot commented May 21, 2026

Copy link
Copy Markdown

PROD-4858

@socket-security

socket-security Bot commented May 21, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgitlab.com/​gitlab-org/​api/​client-go@​v1.46.07510010010080
Addedgithub.com/​vmware-tanzu/​velero@​v1.16.27510010010090
Addedgithub.com/​terraform-docs/​terraform-docs@​v0.20.088100100100100
Addedgotest.tools/​gotestsum@​v1.13.096100100100100

View full report

@socket-security

socket-security Bot commented May 21, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/terraform-docs/terraform-docs is 98.0% likely obfuscated

Confidence: 0.98

Location: Package overview

From: go/deployment-operator/go.modgolang/github.com/terraform-docs/terraform-docs@v0.20.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/terraform-docs/terraform-docs@v0.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@greptile-apps

greptile-apps Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a RunLua gRPC method to the cloud-query service that executes caller-supplied Lua scripts inside a sandboxed gopher-lua VM and returns the result as JSON. A new runner.go and its tests implement the sandbox, wiring in encoding/utils helpers from the polly/luautils package.

  • runner.go builds a restricted VM (skips all libs, then re-opens only base/string/table/math) and extracts output from the global output table.
  • toolquery.go adds the RunLua RPC handler with nil/empty-script validation consistent with existing handlers.
  • Proto and generated gRPC files add the RunLuaInput/RunLuaOutput messages and register the new method.

Confidence Score: 3/5

The Lua sandbox exposes dofile and loadfile from the base library, allowing submitted scripts to probe or read files on the server — contradicting the documented "no filesystem access" constraint. This should be fixed before merging.

The core issue is that lua.OpenBase registers dofile and loadfile in the VM. Since this service accepts arbitrary Lua scripts from callers, either function can be used to read files on the server host. The sandbox's own tests (e.g. TestSandboxNoFS) only verify that the fs module is absent; they don't cover dofile. Additionally, a comment incorrectly documents a return-value capture path that doesn't exist, and a post-execution timeout check is dead code.

go/cloud-query/internal/tools/lua/runner.go — the newSandboxedState function needs to remove dofile and loadfile after opening the base library.

Security Review

  • Filesystem access via dofile/loadfile (go/cloud-query/internal/tools/lua/runner.go): lua.OpenBase registers both dofile and loadfile in the Lua VM. The sandbox is documented to have no filesystem access, but these functions can be called by any submitted script to probe for file existence or read files that happen to parse as valid Lua. They must be explicitly removed after OpenBase is called.

Important Files Changed

Filename Overview
go/cloud-query/internal/tools/lua/runner.go New Lua sandbox runner; dofile/loadfile from OpenBase contradict the documented "no filesystem" guarantee, and the post-execution timeout path is unreachable dead code
go/cloud-query/internal/service/toolquery.go New RunLua RPC handler with standard nil/empty validation; overall structure consistent with existing handlers
go/cloud-query/internal/tools/lua/runner_test.go Good sandbox test coverage; missing a test case for dofile/loadfile access which is not blocked by the sandbox
go/cloud-query/api/proto/toolquery.proto Adds RunLuaInput/RunLuaOutput messages and RunLua RPC; straightforward and consistent with existing proto patterns
go/cloud-query/go.mod Adds gopher-lua and polly dependencies; indirect deps look correct

Reviews (1): Last reviewed commit: "cloud-query lua tool" | Re-trigger Greptile

Comment thread go/cloud-query/internal/tools/lua/runner.go
Comment thread go/cloud-query/internal/tools/lua/runner.go
Comment thread go/cloud-query/internal/tools/lua/runner.go Outdated
@zreigz zreigz added the enhancement New feature or request label May 21, 2026
zreigz and others added 3 commits May 21, 2026 15:36
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
@zreigz zreigz merged commit d930f78 into master May 21, 2026
25 checks passed
@zreigz zreigz deleted the lukasz/prod-4858-cloud-query-lua-tool branch May 21, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants