New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow installing some but not all of the standard modules. #55
Comments
I would like exactly the same functionality; there are cases where you want to allow people to provide code to execute without exposing potentially dangerous OS functions. Aside, to explain why this is valuable: I'm using Gopher-Lua to write a mailing list driver that loads incoming mail from IMAP, does some Lua to it, and pushes it out by SMTP (I actually can't believe nobody's done an IMAP/SMTP mailing list system before, I can't find any hint of it..). The bit in the middle where the Lua happens is an event-loop written as a local file by the user; fine, no special security flaws there except those the list admin adds themselves, and I want io/os loaded. However, I would also like list moderators to be able to send arbitrary Lua to admin the list to be run in a separate execution environment, so they'd add new members by passing a script consisting of something like When I hit this stage in my own project I'll happily clone, make some changes to expose the various lib functions, and issue a PR, unless someone beats me to it. I really hope you'll consider accepting! |
Ok, I see what you're suggesting. My concern would be that through some Lua magic, if an attacker can outrun the garbage collector they might find a reference in a sea of |
If a certain global variable has been deleted by reassigning just after creating a new LState, any references of it can not be found. |
Hrm, Ok. Is that also true of a freshly created "sandbox" thread, or would one need an orphan LState to enjoy the same guarantee? |
L = lua.NewState()
L.DoString("coroutine=nil;debug=nil;io=nil;math=nil;os=nil;string=nil;table=nil")
th = L.NewThread()
// L and th share the same global variables( = th is sandboxed).
L2 = lua.NewState()
L2.DoString("coroutine=nil;debug=nil;io=nil;math=nil;os=nil;string=nil;table=nil")
// L and L2 do not share the same global variables(= L2 is NOT sandboxed). You need L.Dostring() again. |
Well, I was more concerned about this use-case, forgive me if it's naive:
Of course, doing the reverse might be more sensible (edit, no; this would be totally insecure, sorry):
|
..the point being, again, that you could create a rich environment with lots of additional stuff, as well as the "essential" core libraries, and use the same environment to execute code you trust as well as code you don't trust. ..which reminds me that the "secure first, insecure later" option is untenable, because malicious code could overwrite globals in |
Hmm, if you implement luaopen_XX in Lua5.1 compliant functionality, I'll merge it. (Sorry I have no time to work this task, so I'm a just hobby programmer...) As you can see in the lint.c, luaopen_XX functions in 5.1 should be cfunction. Currently, openXXX in GopherLua are not cfunction(not LGFunction). Tasks:
|
So, if I understand you correctly, you would accept a PR that made the individual lib-loading functions public, as long as they were all |
And BTW, I'm aware of, and in awe of, the fact that this is just hobby stuff for you. Thanks so much for Gopher-Lua, it's amazing and really useful. :) |
|
Mission accepted. :) @milochristiansen - Sound like a solution for you also? |
Hi @yuin, I've made the changes as I understand them, and pushed them to the linit branch on my fork - when you get a chance could you review before I PR? Thanks! |
Code review on the github should be made in PR. Please send a pull request. |
Done |
New private type, luaLib, to contain name and load function, same idea as Lua5.1's luaL_Reg: http://pgl.yoyo.org/luai/i/luaL_Reg luaLibs is now private, is now a slice of luaLibs. Each module register function now returns the module table. luaLibs are now executed by pushing onto the stack, pushing the module name, and calling with args 1 and returns 0. Some comments removed by request.
Currently you can have all, or no standard modules. This produces problems when, for example, you need everything but
os
andio
to be available.The fix for this is trivial, just export the
openXYZ
functions so that users can install modules piecemeal if they wish.The text was updated successfully, but these errors were encountered: