sandbox.lua/spec/sandbox_spec.lua

local sandbox = require 'sandbox'

describe('sandbox.run', function()

  describe('when handling base cases', function()

    it('can run harmless strings', function()
      local r = sandbox.run("return 'hello'")
      assert.equal(r, 'hello')
    end)

    if sandbox.bytecode_blocked then
      it('rejects bytecode', function()
        local fn = function() end
        assert.error(function() sandbox.run(string.dump(fn)) end)
      end)
    else
      it('accepts bytecode (PUC Rio 5.1)', function()
        local fn = function() end
        assert.has.no.error(function() sandbox.run(string.dump(fn)) end)
      end)
    end

    it('has access to safe methods', function()
      assert.equal(10,      sandbox.run("return tonumber('10')"))
      assert.equal('HELLO', sandbox.run("return string.upper('hello')"))
      assert.equal(1,       sandbox.run("local a = {3,2,1}; table.sort(a); return a[1]"))
      assert.equal(10,      sandbox.run("return math.max(1,10)"))
    end)

    it('does not allow access to not-safe stuff', function()
      assert.error(function() sandbox.run('return setmetatable({}, {})') end)
      assert.error(function() sandbox.run('return string.rep("hello", 5)') end)
    end)

    it('does return multiple values', function()
      local result = { sandbox.run("return 'hello', 'world'") }
      assert.same({ 'hello', 'world' }, result)
    end)
  end)

  describe('when handling string.rep', function()
    it('does not allow pesky string:rep', function()
      assert.error(function() sandbox.run('return ("hello"):rep(5)') end)
    end)

    it('restores the value of string.rep', function()
      sandbox.run("")
      assert.equal('hellohello', string.rep('hello', 2))
    end)

    it('restores string.rep even if there is an error', function()
      assert.error(function() sandbox.run("error('foo')") end)
      assert.equal('hellohello', string.rep('hello', 2))
    end)

    it('passes parameters to the code', function()
      assert.equal(sandbox.run("local a, b = ...; return a + b", {}, 1,2), 3)
    end)
  end)


  describe('when the sandboxed code tries to modify the base environment', function()

    it('does not allow modifying the modules', function()
      assert.error(function() sandbox.run("string.foo = 1") end)
      assert.error(function() sandbox.run("string.char = 1") end)
    end)

    it('does not persist modifications of base functions', function()
      sandbox.run('error = function() end')
      assert.error(function() sandbox.run("error('this should be raised')") end)
    end)

    it('DOES persist modification to base functions when they are provided by the base env', function()
      local env = {['next'] = 'hello'}
      sandbox.run('next = "bye"', {env=env})
      assert.equal(env['next'], 'bye')
    end)
  end)


  if sandbox.quota_supported then
    describe('when given infinite loops', function()
      it('throws an error with infinite loops', function()
        assert.error(function() sandbox.run("while true do end") end)
      end)

      it('restores string.rep even after a while true', function()
        assert.error(function() sandbox.run("while true do end") end)
        assert.equal('hellohello', string.rep('hello', 2))
      end)

      it('accepts a quota param', function()
        assert.has_no.errors(function() sandbox.run("for i=1,100 do end") end)
        assert.error(function() sandbox.run("for i=1,100 do end", {quota = 20}) end)
      end)

      it('does not use quotes if the quote param is false', function()
        assert.has_no.errors(function() sandbox.run("for i=1,1000000 do end", {quota = false}) end)
      end)
    end)
  else
    it('throws an error when trying to use the quota option in an unsupported environment (LuaJIT)', function()
      assert.error(function() sandbox.run("", {quota = 20}) end)
    end)
  end


  describe('when given an env option', function()
    it('is available on the sandboxed env as the _G variable', function()
      local env = {foo = 1}
      assert.equal(1, sandbox.run("return foo", {env = env}))
      assert.equal(env, sandbox.run("return _G", {env = env}))
    end)

    it('does not hide base env', function()
      assert.equal('HELLO', sandbox.run("return string.upper(foo)", {env = {foo = 'hello'}}))
    end)

    it('can modify the env', function()
      local env = {foo = 1}
      sandbox.run("foo = 2", {env = env})
      assert.equal(env.foo, 2)
    end)
  end)

end)
initial version 2013-09-02 20:11:33 +00:00			`local sandbox = require 'sandbox'`

updated readme 2013-09-05 22:40:43 +00:00			`describe('sandbox.run', function()`
initial version 2013-09-02 20:11:33 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`describe('when handling base cases', function()`
initial version 2013-09-02 20:11:33 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`it('can run harmless strings', function()`
			`local r = sandbox.run("return 'hello'")`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal(r, 'hello')`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
initial version 2013-09-02 20:11:33 +00:00
feat(sandbox) block bytecode when possible 2021-01-05 13:23:24 +00:00			`if sandbox.bytecode_blocked then`
			`it('rejects bytecode', function()`
feat(sandbox): only allow strings of Lua as params This change drops support for "protecting" raw Lua functions. There are two main reasons for this change: * More modern versions of PUC Rio Lua don't have `setfenv`. It is possible to get around this by using the debug library, but that library is not available in all environments. * Solutions based on `load` (which only allow string inputs) are objectively better since they give the user more control. For instance, you can deactivate support for binary code selectively. As a result, we are using the `load`-based sandbox in all versions of Lua that supports it, using `setfenv`-based sandboxing only when nothing else is available (PUC Rio 5.1). We are also explicitly raising an error if `options.mode` is passed but we are using `setfenv`. This is to prevent users from believing they are protected against binary code, when in fact they are not. 2021-01-04 23:40:59 +00:00			`local fn = function() end`
feat(sandbox) block bytecode when possible 2021-01-05 13:23:24 +00:00			`assert.error(function() sandbox.run(string.dump(fn)) end)`
feat(sandbox): only allow strings of Lua as params This change drops support for "protecting" raw Lua functions. There are two main reasons for this change: * More modern versions of PUC Rio Lua don't have `setfenv`. It is possible to get around this by using the debug library, but that library is not available in all environments. * Solutions based on `load` (which only allow string inputs) are objectively better since they give the user more control. For instance, you can deactivate support for binary code selectively. As a result, we are using the `load`-based sandbox in all versions of Lua that supports it, using `setfenv`-based sandboxing only when nothing else is available (PUC Rio 5.1). We are also explicitly raising an error if `options.mode` is passed but we are using `setfenv`. This is to prevent users from believing they are protected against binary code, when in fact they are not. 2021-01-04 23:40:59 +00:00			`end)`
			`else`
feat(sandbox) block bytecode when possible 2021-01-05 13:23:24 +00:00			`it('accepts bytecode (PUC Rio 5.1)', function()`
			`local fn = function() end`
			`assert.has.no.error(function() sandbox.run(string.dump(fn)) end)`
feat(sandbox): only allow strings of Lua as params This change drops support for "protecting" raw Lua functions. There are two main reasons for this change: * More modern versions of PUC Rio Lua don't have `setfenv`. It is possible to get around this by using the debug library, but that library is not available in all environments. * Solutions based on `load` (which only allow string inputs) are objectively better since they give the user more control. For instance, you can deactivate support for binary code selectively. As a result, we are using the `load`-based sandbox in all versions of Lua that supports it, using `setfenv`-based sandboxing only when nothing else is available (PUC Rio 5.1). We are also explicitly raising an error if `options.mode` is passed but we are using `setfenv`. This is to prevent users from believing they are protected against binary code, when in fact they are not. 2021-01-04 23:40:59 +00:00			`end)`
			`end`
feat(sandbox) add load mode to string functions 2020-12-11 16:22:17 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`it('has access to safe methods', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal(10, sandbox.run("return tonumber('10')"))`
			`assert.equal('HELLO', sandbox.run("return string.upper('hello')"))`
			`assert.equal(1, sandbox.run("local a = {3,2,1}; table.sort(a); return a[1]"))`
			`assert.equal(10, sandbox.run("return math.max(1,10)"))`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
initial version 2013-09-02 20:11:33 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`it('does not allow access to not-safe stuff', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.error(function() sandbox.run('return setmetatable({}, {})') end)`
			`assert.error(function() sandbox.run('return string.rep("hello", 5)') end)`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
feat(sandbox) return multiple values 2020-12-13 17:54:40 +00:00
			`it('does return multiple values', function()`
			`local result = { sandbox.run("return 'hello', 'world'") }`
			`assert.same({ 'hello', 'world' }, result)`
			`end)`
initial version 2013-09-02 20:11:33 +00:00			`end)`

updated readme 2013-09-05 22:40:43 +00:00			`describe('when handling string.rep', function()`
			`it('does not allow pesky string:rep', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.error(function() sandbox.run('return ("hello"):rep(5)') end)`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
initial version 2013-09-02 20:11:33 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`it('restores the value of string.rep', function()`
			`sandbox.run("")`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal('hellohello', string.rep('hello', 2))`
updated readme 2013-09-05 22:40:43 +00:00			`end)`

			`it('restores string.rep even if there is an error', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.error(function() sandbox.run("error('foo')") end)`
			`assert.equal('hellohello', string.rep('hello', 2))`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
initial version 2013-09-02 20:11:33 +00:00
feat(sandbox): only allow strings of Lua as params This change drops support for "protecting" raw Lua functions. There are two main reasons for this change: * More modern versions of PUC Rio Lua don't have `setfenv`. It is possible to get around this by using the debug library, but that library is not available in all environments. * Solutions based on `load` (which only allow string inputs) are objectively better since they give the user more control. For instance, you can deactivate support for binary code selectively. As a result, we are using the `load`-based sandbox in all versions of Lua that supports it, using `setfenv`-based sandboxing only when nothing else is available (PUC Rio 5.1). We are also explicitly raising an error if `options.mode` is passed but we are using `setfenv`. This is to prevent users from believing they are protected against binary code, when in fact they are not. 2021-01-04 23:40:59 +00:00			`it('passes parameters to the code', function()`
			`assert.equal(sandbox.run("local a, b = ...; return a + b", {}, 1,2), 3)`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
more fiddling with string.rep 2013-09-03 09:53:41 +00:00			`end)`

updated readme 2013-09-05 22:40:43 +00:00
feat(sandbox): only allow strings of Lua as params This change drops support for "protecting" raw Lua functions. There are two main reasons for this change: * More modern versions of PUC Rio Lua don't have `setfenv`. It is possible to get around this by using the debug library, but that library is not available in all environments. * Solutions based on `load` (which only allow string inputs) are objectively better since they give the user more control. For instance, you can deactivate support for binary code selectively. As a result, we are using the `load`-based sandbox in all versions of Lua that supports it, using `setfenv`-based sandboxing only when nothing else is available (PUC Rio 5.1). We are also explicitly raising an error if `options.mode` is passed but we are using `setfenv`. This is to prevent users from believing they are protected against binary code, when in fact they are not. 2021-01-04 23:40:59 +00:00			`describe('when the sandboxed code tries to modify the base environment', function()`
updated readme 2013-09-05 22:40:43 +00:00
			`it('does not allow modifying the modules', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.error(function() sandbox.run("string.foo = 1") end)`
			`assert.error(function() sandbox.run("string.char = 1") end)`
updated readme 2013-09-05 22:40:43 +00:00			`end)`

			`it('does not persist modifications of base functions', function()`
			`sandbox.run('error = function() end')`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.error(function() sandbox.run("error('this should be raised')") end)`
updated readme 2013-09-05 22:40:43 +00:00			`end)`

			`it('DOES persist modification to base functions when they are provided by the base env', function()`
			`local env = {['next'] = 'hello'}`
			`sandbox.run('next = "bye"', {env=env})`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal(env['next'], 'bye')`
updated readme 2013-09-05 22:40:43 +00:00			`end)`
do not persist changes to the environment from sandbox to sandbox 2013-09-03 14:07:28 +00:00			`end)`

made sandbox immune to while trues 2013-09-03 10:53:26 +00:00
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`if sandbox.quota_supported then`
			`describe('when given infinite loops', function()`
			`it('throws an error with infinite loops', function()`
			`assert.error(function() sandbox.run("while true do end") end)`
			`end)`
naming & refactoring 2013-09-03 11:20:38 +00:00
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`it('restores string.rep even after a while true', function()`
			`assert.error(function() sandbox.run("while true do end") end)`
			`assert.equal('hellohello', string.rep('hello', 2))`
			`end)`
initial version 2013-09-02 20:11:33 +00:00
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`it('accepts a quota param', function()`
			`assert.has_no.errors(function() sandbox.run("for i=1,100 do end") end)`
			`assert.error(function() sandbox.run("for i=1,100 do end", {quota = 20}) end)`
			`end)`
naming & refactoring 2013-09-03 11:20:38 +00:00
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`it('does not use quotes if the quote param is false', function()`
			`assert.has_no.errors(function() sandbox.run("for i=1,1000000 do end", {quota = false}) end)`
			`end)`
accepts limit param 2013-09-03 11:14:42 +00:00			`end)`
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`else`
			`it('throws an error when trying to use the quota option in an unsupported environment (LuaJIT)', function()`
			`assert.error(function() sandbox.run("", {quota = 20}) end)`
passing false as a quota deactivates the hooks 2013-09-14 10:54:49 +00:00			`end)`
feat(sandbox) explicitly drop support of quotas on LuaJIT The solution we use in PUC Rio Lua (with debug.sethook) simply does not work in LuaJIT. * We have added a `sandbox.quota_supported` field to signal this feature (or lack of thereof) * We explicitly return an error if `options.quota` is passed on a LuaJIT environment, in order to prevent LuaJIT users from believing that they are protected against infinite loops. 2021-01-04 23:43:04 +00:00			`end`
initial version 2013-09-02 20:11:33 +00:00
updated readme 2013-09-05 22:40:43 +00:00
added refs param 2013-09-03 16:07:03 +00:00			`describe('when given an env option', function()`
made _G available as a mocked up env inside the sandboxed env 2013-09-13 11:26:08 +00:00			`it('is available on the sandboxed env as the _G variable', function()`
			`local env = {foo = 1}`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal(1, sandbox.run("return foo", {env = env}))`
			`assert.equal(env, sandbox.run("return _G", {env = env}))`
cleanup 2013-09-03 14:41:46 +00:00			`end)`

added refs param 2013-09-03 16:07:03 +00:00			`it('does not hide base env', function()`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal('HELLO', sandbox.run("return string.upper(foo)", {env = {foo = 'hello'}}))`
cleanup 2013-09-03 14:41:46 +00:00			`end)`
added refs param 2013-09-03 16:07:03 +00:00
updated readme 2013-09-05 22:40:43 +00:00			`it('can modify the env', function()`
added refs param 2013-09-03 16:07:03 +00:00			`local env = {foo = 1}`
updated readme 2013-09-05 22:40:43 +00:00			`sandbox.run("foo = 2", {env = env})`
chore(*) use busted for specs it does no longer hang 2020-12-13 17:54:19 +00:00			`assert.equal(env.foo, 2)`
added refs param 2013-09-03 16:07:03 +00:00			`end)`
			`end)`

initial version 2013-09-02 20:11:33 +00:00			`end)`