lupa icon indicating copy to clipboard operation
lupa copied to clipboard
verified publisher icon scoder

Restricting access to potentially-dangerous LUA builtins

Open jrgp opened this issue 6 years ago • 2 comments

Hi,

I've been using LUPA a bit and its functionality to block access to python objects works great.

But I just realized that the LUA builtins are still exposed (eg print and os.execute) despite the python part being sandboxed.

I played around a bit and discovered the following code snippet blocks access to the dangerous functions, but I was wondering if there was a better way?

lua = lupa.LuaRuntime()
for key in list(lua.globals()):
	if key != '_G':
		del lua.globals()[key]

# The following now fails instead of executing

f = lua.eval('''
	function()
	os.execute('echo BLARG')
	end
''')

f2()

Thanks!

jrgp avatar Oct 02 '19 23:10 jrgp

Yeah, the intention is to block access to anything risky in Python. Preventing access to anything risky provided by Lua is probably best done in Lua.

scoder avatar May 19 '20 12:05 scoder