Run each Lua chunk in an inherited, private environment

[pmatilai]

Protect our environment against accidents and pollution from each other:
each Lua chunk starts with an environment inherited from rpm global, but
any modifications go to the private environment so it's not possible to
accidentally destroy or divert things.

[DemiMarie]

This will break code that defines Lua functions for later use. Is this intentional? Also, it is still possible to monkeypatch various global tables.

[pmatilai]

The idea is to stop accidental pollution of the Lua environment. Actual hardening is a separate matter.
And yeah, some breakage to be expected if people are (ab)using this. Also possible we need further tweaks.

[Conan-Kudo]

Wouldn't this entirely break the forge macros and Go macros in Fedora, as well as the Python and Ruby macros in openSUSE?

[pmatilai]

Would it?

If you're unsure what an implementation does, it'd be more helpful to actually test it.

[Conan-Kudo]

I'll try to test it this weekend and find out. I only gave a first pass look and got a bit nervous.

[mlschroe]

I'm a lua novice, so pardon my ignorance. Why does

--eval '%{lua:rpm=nil; print(rpm == nil)}' \

evaluate to false in the testcase? And the test is currently skipped in the CI, probably due to that AT_SKIP_IF([$LUA_DISABLED]). Didn't we make lua mandatory?

[pmatilai]

The nil thing is indeed a Lua peculiarity with globals and how the environment is manipulated here, it basically prevents you from (accidentally) doing something nasty to the environment. https://www.lua.org/pil/14.3.html is technically outdated but explains the basic idea.

This patch is originally from last autumn when Lua was still optional, LUA_DISABLED is just a leftover and needs removing.

This also needs more thought than this... closing for now.

[mlschroe]

Thanks for the pointer!