[re-posting via github after private reporting, as agreed with antirez]
It is general LUA wisdom that sandboxing would be better implemented by explicitly whitelisting just things that should be exposes, instead of blacklisting some functions/tables as redis is currently doing.
From a quick glance, there are several functions exposed by redis (in both 2.8 and 3.0 branches) which looks dangerous. For example, all of the following ones look un-uneeded in redis:
rawget, rawset, rawequal
There are probably some more, and some can get added/removed as LUA evolves. The key point is that lua internals should probably be all hidden by default, and only needed functions picked and re-exported.
In fact, This leaky whitelist approach make it easier to subvert the sandbox in different ways.
For example, the whole "strict lua" in scriptingEnableGlobalsProtection() can be bypassed with a simple setmetatable(_G, nil).
Another example is internal de-synchronization reported in #2853, resulting in remote crash due to assertion hitting.
The text was updated successfully, but these errors were encountered: