lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


>Hi list,
>
>I am new to lua.
>
>I plan to store some key->value preferences (and more) in a lua script  
>file.
>My question concerns security:
>in case the script file is corrupted, is it possible to execute  
>malicious code while lua is scanning back the file?

Yes; you would need to perform a "dofile" or similar mechanism which, if left unguarded, could cause malicious things to occur. You might consider compiling it into a chunk and restricting the environment:

local fn = loadfile("mydata.lua"); -- You may wish to check for errors
setfenv(fn, {});
fn(); -- You may wish to pcall this

This still leaves in the issue of a data file written like:

data = {
   1,
   2,
   3
}
while true do end

Which you will have issues restricting in vanilla lua. Uses of extra functionality such as signals or threading to monitor the time it takes to execute can resolve this issue, though.

>In general, are there any required steps to prevent security issues  
>when using lua scripts as data models?

Only allow what you need to allow. In general for a "data script" you only need raw Lua functionality, so you can clean the entire environment and then merge it in later. This ensures there are no side effects from the code.

-- Matthew P. Del Buono