Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricting access to potentially-dangerous LUA builtins #123

Open
jrgp opened this issue Oct 2, 2019 · 1 comment
Open

Restricting access to potentially-dangerous LUA builtins #123

jrgp opened this issue Oct 2, 2019 · 1 comment

Comments

@jrgp
Copy link

jrgp commented Oct 2, 2019

Hi,

I've been using LUPA a bit and its functionality to block access to python objects works great.

But I just realized that the LUA builtins are still exposed (eg print and os.execute) despite the python part being sandboxed.

I played around a bit and discovered the following code snippet blocks access to the dangerous functions, but I was wondering if there was a better way?

lua = lupa.LuaRuntime()
for key in list(lua.globals()):
	if key != '_G':
		del lua.globals()[key]

# The following now fails instead of executing

f = lua.eval('''
	function()
	os.execute('echo BLARG')
	end
''')

f2()

Thanks!
@scoder
Copy link
Owner

scoder commented May 19, 2020

Yeah, the intention is to block access to anything risky in Python. Preventing access to anything risky provided by Lua is probably best done in Lua.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrgp @scoder