sandbox.lua/README.md

141 lines
3.9 KiB
Markdown
Raw Normal View History

2013-09-03 15:13:39 +00:00
sandbox.lua
===========
A pure-lua solution for running untrusted Lua code.
2014-04-28 11:56:14 +00:00
The default behavior is restricting access to "dangerous" functions in Lua, such as `os.execute`.
It's possible to provide extra functions via the `options.env` parameter.
Infinite loops are prevented via the `debug` library.
2013-09-03 15:13:39 +00:00
For now, sandbox.lua only works with Lua 5.1.x.
Usage
=====
2014-04-28 11:56:14 +00:00
Require the module like this:
``` lua
local sandbox = require 'sandbox'
```
### sandbox.protect
`sandbox.protect(f)` (or `sandbox(f)`) produces a sandboxed version of `f`. `f` can be a Lua function or a string with Lua code.
A sandboxed function works as regular functions as long as they don't access any insecure features:
```lua
local sandboxed_f = sandbox(function() return 'hey' end)
local msg = sandboxed_f() -- msg is now 'hey'
2013-09-03 15:13:39 +00:00
2014-04-28 11:56:14 +00:00
```
2013-09-03 15:13:39 +00:00
2014-04-28 11:56:14 +00:00
Sandboxed options can not access unsafe Lua modules. (See the [source code](https://github.com/kikito/sandbox.lua/blob/master/sandbox.lua#L35) for a list)
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
When a sandboxed function tries to access an unsafe module, an error is produced.
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
```lua
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
local sf = sandbox.protect(function()
os.execute('rm -rf /') -- this will throw an error, no damage done
end)
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
sf() -- error: os.execute not found
2013-09-03 15:13:39 +00:00
2014-04-28 11:56:14 +00:00
```
2013-09-03 15:13:39 +00:00
2014-04-28 11:56:14 +00:00
Sandboxed functions will eventually throw an error if they contain infinite loops:
2013-09-13 11:20:24 +00:00
2014-04-28 11:56:14 +00:00
```lua
local sf = sandbox.protect(function()
while true do end
end)
sf() -- error: quota exceeded
```
### options.quota
`sandbox.lua` prevents infinite loops from halting the program by hooking the `debug` library to the sandboxed function, and "counting instructions". When
the instructions reach a certain limit, an error is produced.
This limit can be tweaked via the `quota` option. But default, it is 500000.
2013-09-13 11:20:24 +00:00
2013-09-05 22:40:43 +00:00
It is not possible to exhaust the machine with infinite loops; the following will throw an error after invoking 500000 instructions:
2014-04-28 11:56:14 +00:00
``` lua
sandbox.run('while true do end') -- raise errors after 500000 instructions
sandbox.run('while true do end', {quota=10000}) -- raise error after 10000 instructions
```
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
Note that if the quota is low enough, sandboxed functions that do lots of calculations might fail:
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
``` lua
local f = function()
local count = 1
for i=1, 400 do count = count + 1 end
return count
end
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
sandbox.run(f, {quota=100}) -- raises error before the function ends
```
2013-09-13 11:20:24 +00:00
2014-04-28 11:56:14 +00:00
### options.env
2013-09-05 22:40:43 +00:00
2014-04-28 11:56:14 +00:00
Use the `env` option to inject additional variables to the environment in which the sandboxed function is executed.
2013-09-03 15:13:39 +00:00
2014-04-28 11:56:14 +00:00
local msg = sandbox.run('return foo', {env = {foo = 'This is a global var on the the environment'}})
Note that the `env` variable will be modified by the sandbox (adding base modules like `string`). The sandboxed code can also modify it. It is
recommended to discard it after use.
2013-09-03 15:13:39 +00:00
2013-09-05 22:40:43 +00:00
local env = {amount = 1}
sandbox.run('amount = amount + 1', {env = env})
assert(env.amount = 2)
2013-09-03 15:13:39 +00:00
2013-09-03 16:07:03 +00:00
2014-04-28 11:56:14 +00:00
### sandbox.run
2013-09-13 11:20:24 +00:00
2014-04-28 11:56:14 +00:00
`sandbox.run(f)` sanboxes and executes `f` in a single line. `f` can be either a string or a function
2013-09-13 11:20:24 +00:00
2014-04-28 11:56:14 +00:00
You can pass `options` param, and it will work like in `sandbox.protect`.
Any extra parameters will just be passed to the sandboxed function when executed.
2013-09-13 11:20:24 +00:00
2014-04-28 11:56:14 +00:00
In other words, `sandbox.run(f, o, ...)` is equivalent to `sandbox.protect(f,o)(...)`.
2013-09-13 11:20:24 +00:00
Notice that if `f` throws an error, it is *NOT* captured by `sandbox.run`. Use `pcall` if you want your app to be immune to errors, like this:
2014-04-28 11:56:14 +00:00
``` lua
2013-09-13 11:20:24 +00:00
local ok, result = pcall(sandbox.run, 'error("this just throws an error")')
2013-09-03 16:07:03 +00:00
2014-04-28 11:56:14 +00:00
```
2013-09-03 16:07:03 +00:00
2013-09-03 15:13:39 +00:00
Installation
============
Just copy sandbox.lua wherever you need it.
License
=======
This library is released under the MIT license. See MIT-LICENSE.txt for details
Specs
=====
This project uses [telescope](https://github.com/norman/telescope) for its specs. In order to run them, install it and then:
2013-09-03 15:13:39 +00:00
cd /path/to/where/the/spec/folder/is
tsc spec/*
2013-09-03 15:13:39 +00:00
I would love to use [busted](http://olivinelabs.com/busted/), but it has some incompatibility with `debug.sethook(f, "", quota)` and the tests just hanged up.