• Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
    Lua
  • License
    MIT License
  • Created over 10 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A lua sandbox for executing non-trusted code

sandbox.lua

A pure-lua solution for running untrusted Lua code.

The default behavior is restricting access to "dangerous" functions in Lua, such as os.execute.

It's possible to provide extra functions via the options.env parameter.

Infinite loops are prevented via the debug library.

Supported Lua versions:

All the features of sandbox.lua work in the following Lua environments:

  • PUC-Rio Lua 5.1 allows execution of bytecode, which is a huge limitation (see the bytecode section below)
  • PUC-Rio Lua 5.2, 5.3, 5.4 have total support.
  • LuaJIT is not protected against infinite loops (see the notes in options.quota below)

Usage

Require the module like this:

local sandbox = require 'sandbox'

Then you can use sandbox.run and sandbox.protect

sandbox.run(code, options, ...)

sandbox.run(code, options, ...) sandboxes and executes code with the given options and extra params.

code must be a string with Lua code inside.

options is described below.

Any extra parameters will just be passed to the sandboxed function when executed, and available on the top-level scope via the ... varargs parameters.

In other words, sandbox.run(c, o, ...) is equivalent to sandbox.protect(c, o)(...).

Notice that if code throws an error, it is NOT captured by sandbox.run. Use pcall if you want your app to be immune to errors, like this:

local ok, result = pcall(sandbox.run, 'error("this just throws an error")')

sandbox.protect(code, options)

sandbox.protect("lua code") (or sandbox("lua code")) produces a sandboxed function, without executing it.

The resulting sandboxed function works as regular functions as long as they don't access any insecure features:

local sandboxed_f = sandbox(function() return 'hey' end)
local msg = sandboxed_f() -- msg is now 'hey'

Sandboxed options can not access unsafe Lua modules. (See the source code for a list)

When a sandboxed function tries to access an unsafe module, an error is produced.

local sf = sandbox.protect([[
  os.execute('rm -rf /') -- this will throw an error, no damage done
end
]])

sf() -- error: os.execute not found

Sandboxed code will eventually throw an error if it contains infinite loops (note: this feature is not available in LuaJIT):

local sf = sandbox.protect([[
  while true do end
]])

sf() -- error: quota exceeded

Bytecode

It is possible to exit a sandbox using specially-crafted Lua bytecode. References:

Because of this, the sandbox deactivates bytecode in all the versions of Lua where it is possible:

  • PUC-Rio Lua 5.2, 5.3, 5.4
  • LuaJIT

In other words, all except PUC-Rio Lua 5.1.

** The sandbox can be exploited in PUC-Rio Lua 5.1 via bytecode **

The only reason we keep Lua 5.1 in the list of supported versions of Lua is because sandboxing can help against users attempting to delete a file by mistake. It does not provide protection against malicious users.

As a result we strongly recommend updating to a more recent version when possible.

options.quota

Note: This feature is not available in LuaJIT

sandbox.lua prevents infinite loops from halting the program by hooking the debug library to the sandboxed function, and "counting instructions". When the instructions reach a certain limit, an error is produced.

This limit can be tweaked via the quota option. But default, it is 500000.

It is not possible to exhaust the machine with infinite loops; the following will throw an error after invoking 500000 instructions:

sandbox.run('while true do end') -- raise errors after 500000 instructions
sandbox.run('while true do end', {quota=10000}) -- raise error after 10000 instructions

If the quota is low enough, sandboxed code with too many calculations might fail:

local code = [[
  local count = 1
  for i=1, 400 do count = count + 1 end
  return count
]]

sandbox.run(code, {quota=100}) -- raises error before the code ends

If you want to turn off the quota completely, pass quota=false instead.

options.env

Use the env option to inject additional variables to the environment in which the sandboxed code is executed.

local msg = sandbox.run('return foo', {env = {foo = 'This is a global var on the the environment'}})

The env variable will be used as an "index" by the sandbox environment, but it will not be modified at all (changes to the environment are thus lost). The only way to "get information out" from the sandboxed environments are:

Through side effects, like writing to a database. You will have to provide the side-effects functions in env:

local val = 1
local env = { write_db = function(new_val) val = new_val end }
sandbox.run('write_db(2)')
assert(val = 2)

Through returned values:

local env = { amount = 1 }
local result = sandbox.run('return amount + 1', { env = env })
assert(result = 2)

Installation

Just copy sandbox.lua wherever you need it.

Alternatively, you can use luarocks:

luarocks install kikito/sandbox

License

This library is released under the MIT license. See MIT-LICENSE.txt for details

Specs

This project uses busted for its specs. In order to run them, install it and then:

cd /path/to/where/the/spec/folder/is
busted spec/*

More Repositories

1

middleclass

Object-orientation for Lua
Lua
1,629
star
2

inspect.lua

Human-readable representation of Lua tables
Lua
1,346
star
3

bump.lua

A collision detection library for Lua
Lua
914
star
4

anim8

An animation library for LÖVE
Lua
707
star
5

tween.lua

Tweening/Easing/Interpolating functions for lua. Inspired on jQuery's animate method.
Lua
568
star
6

lua_missions

Lua Koans, minus the Zen stuff
Lua
375
star
7

md5.lua

MD5 sum in pure Lua, with no C and no external dependencies
Lua
321
star
8

love-tile-tutorial

A tutorial for making tile-based games with LÖVE
Lua
272
star
9

i18n.lua

A very complete i18n lib for Lua
Lua
251
star
10

gamera

A camera system for LÖVE
Lua
248
star
11

stateful.lua

Stateful classes for Lua
Lua
174
star
12

cron.lua

Time-related functions for Lua, inspired in javascript's setTimeout and setInterval
Lua
169
star
13

love-loader

Threaded resource loading for LÖVE
Lua
130
star
14

beholder.lua

Minimal observer pattern for Lua, with a couple twists
Lua
105
star
15

semver.lua

Semantic versioning for Lua
Lua
103
star
16

memoize.lua

memoized functions in lua
Lua
88
star
17

sha1.lua

(Deprecated Repo) SHA-1 secure hash computation, and HMAC-SHA1 signature computation in Lua (5.1)
Lua
72
star
18

7-languages-in-7-weeks

My personal repo for 7LI7W exercises
Prolog
63
star
19

luv.js

Minimal HTML5 game development lib
JavaScript
43
star
20

passion

An object-oriented LÖVE game engine
Lua
36
star
21

middleclass-extras

A set of middleclass add-ons that make it easier to use in some cases
Lua
32
star
22

bresenham.lua

Lua
29
star
23

utf8_validator.lua

Easily validating UTF-8 strings in pure Lua
Lua
26
star
24

battle-cry

Lua
13
star
25

middleclass-commons

Interface between middleclass and Class-Commons
Lua
10
star
26

pulsar.lua

A-star algorithm implementation in Lua
Lua
10
star
27

ekrixion

simple game in LÖVE
Lua
9
star
28

fay

A small game for LÖVE, made for Ludum Dare #25
Lua
9
star
29

contact.php

Simple contact form. I really mean it. It's very simple.
PHP
9
star
30

lua-for-javascripters

A presentation about Lua, for people who are familiar with Javascript
CSS
7
star
31

pew-pew-boom

Explosions in 2D space. Ussing PÄSSION and LÖVE
Lua
6
star
32

middleclass-specs

Specs for testing middleclass
Lua
5
star
33

kongame

Lua
5
star
34

nvim

nvim custom config
Vim Script
5
star
35

missing_i18n

Rails mountable engine that finds missing i18n translations and displays them in a variety of formats.
Ruby
5
star
36

busted-stable

A simple rock to install a stable version of busted
4
star
37

middleclass-ai

Ai-related classes implemented in Lua
4
star
38

passion-demos

several demos of the PÄSSION game engine
Lua
4
star
39

rickshaw-vs-nvd3

Comparison of 2 popular js charting libs
CSS
3
star
40

adegan

my personal vim configuration
Vim Script
3
star
41

ci-with-lua

Presentation about continuous integration with Lua
CSS
3
star
42

love_open_chars

open_chars used on a love
Lua
3
star
43

us-4-es.keylayout

Mac keyboard layout for users of U.S. layout who need to write Spanish characters occasionally.
3
star
44

things-to-do-with-postgresql

A presentation about postgresql and rails
CSS
3
star
45

measuring-luas-performance

CSS
2
star
46

a-taste-of-lua

My talk about Lua in APIStrat Chicago 09-2014
CSS
2
star
47

stateful-demo

A simple demo of stateful.lua
Lua
2
star
48

rust-by-example

My activities & impressions while reading Rust by Example
Rust
2
star
49

modis.lua

Lua implementation of MongoDB query language over redis.
Lua
2
star
50

open_chars

My take on Silveira Neto's Open Charas project
2
star
51

jay

javascript object oriented game engine
JavaScript
2
star
52

ld-30

LD 30 - Earth, Hell & Space
Lua
2
star
53

kiki.to

CSS
1
star
54

S021

Interactive Fiction Collaborative Story
HTML
1
star
55

ood-with-ruby

A POODR-based presentation
CSS
1
star
56

stimulus-how-and-why

CSS
1
star
57

lua-for-rubyists

Slides for a talk about Lua for Ruby practicioners
CSS
1
star
58

hacking-madrid

Presentation for t3chfest 2016 about my work in decide.madrid.es
CSS
1
star
59

ci-with-ruby

Talk about continouous integration with ruby
CSS
1
star
60

popular-gemology

A talk about ruby gems: what to look for and to avoid
CSS
1
star
61

old-blog

Kikito's github page
JavaScript
1
star
62

api-addicts-2021-06-24

Companion repo for my API:Addicts talk of June 2021
1
star