[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Sandboxing require function
- From: David Heiko Kolf <david@...>
- Date: Fri, 04 Apr 2014 18:36:27 +0200
David Demelier wrote:
> Hello all,
>
> I like to preload libraries in my application in package.preload so
> there are not globals and user can still load them individually with
> `require'. However, I'm guessing if it is possible to sandbox the
> require function so it only seeks the host application package.preload
> list instead of all the other ones.
>
> But users can still modify the package.* variables in its user script
> (even if we add a __newindex or securities like that, it can uses rawset).
>
> What is your advice on that?
Hello,
if I would want to provide a require function in a sandbox I would
probably write my own (restricted) require function and only provide
that to the sandbox.
This custom require function could then use a white-list and the
original require function. You might even deep-copy the returned module
table for each sandbox to avoid the untrusted code replacing functions
in the module table used by trusted code or other sandboxes.
Best regards,
David Kolf
