lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sat, Sep 24, 2022 at 1:09 AM Egor Skriptunoff
<egor.skriptunoff@gmail.com> wrote:

> You can make two different environments.
> The original environment contains the original "require" function.

This seems quite costly, but let's accept this just to understand the method.

> The untrusted environment is a proxy for the original environment, but it replaces the original "require" with your own function.
>
> You start a script in the untrusted environment, so when the script invokes "require", all your restrictions are being held.
> When the original "require" is eventually invoked, it always loads a module in the original environment, so all nested invocations of "require" will be unrestricted.

I am afraid this is too terse an explanation for me. Let's say I have
libraries X and Y that the "main" script can potentially load. I want
to let it load X, but not Y. However, if X itself requires Y, I want
to let it load Y, but the main script should still be unable to load Y
after that. If X exposes a function from Y to the main script, then it
is of course callable by it. Can you explain your method using this
example?

> P.S.  Can "io.open() + file:read() + load()" be a workaround? ;-)

In my case the libraries are not really files. As I mentioned in my
original message, the built-in searchers are deleted and I use a
custom one.

Cheers,
V.