feat(sandbox) block bytecode when possible

This commit is contained in:
Enrique García Cota 2021-01-05 14:23:24 +01:00
parent 71223d4fe9
commit 2a8a2445d3
No known key found for this signature in database
GPG Key ID: 3BAA19133AAD7764
3 changed files with 45 additions and 19 deletions

View File

@ -9,6 +9,16 @@ It's possible to provide extra functions via the `options.env` parameter.
Infinite loops are prevented via the `debug` library. Infinite loops are prevented via the `debug` library.
Supported Lua versions:
======================
All the features of sandbox.lua work in the following Lua environments:
* PUC-Rio Lua 5.1 **allows execution of bytecode**, which is a huge limitation (see the bytecode section below)
* PUC-Rio Lua 5.2, 5.3, 5.4 have total support.
* LuaJIT is not protected against infinite loops (see the notes in `options.quota` below)
Usage Usage
===== =====
@ -51,6 +61,29 @@ local sf = sandbox.protect([[
sf() -- error: quota exceeded sf() -- error: quota exceeded
``` ```
### Bytecode
It is possible to exit a sandbox using Lua bytecode. References:
* http://apocrypha.numin.it/talks/lua_bytecode_exploitation.pdf
* https://github.com/erezto/lua-sandbox-escape
* https://gist.github.com/corsix/6575486
Because of this, the sandbox deactivates bytecode in all the versions of Lua where it is possible:
* PUC-Rio Lua 5.2, 5.3, 5.4
* LuaJIT
In other words, _all except PUC-Rio Lua 5.1_.
** The sandbox can be exploited in PUC-Rio Lua 5.1 via bytecode **
The only reason we keep Lua 5.1 in the list of supported versions of Lua is because
sandboxing can help against users attempting to delete a file by mistake. _It does not provide
protection against malicious users_.
As a result we _strongly recommend updating to a more recent version when possible_.
### options.quota ### options.quota
`sandbox.lua` prevents infinite loops from halting the program by hooking the `debug` library to the sandboxed function, and "counting instructions". When `sandbox.lua` prevents infinite loops from halting the program by hooking the `debug` library to the sandboxed function, and "counting instructions". When
@ -95,7 +128,7 @@ recommended to discard it after use.
### sandbox.run ### sandbox.run
`sandbox.run(code)` sanboxes and executes `code` in a single line. `code` must be a string with Lua code inside. `sandbox.run(code)` sandboxes and executes `code` in a single line. `code` must be a string with Lua code inside.
You can pass `options` param, and it will work like in `sandbox.protect`. You can pass `options` param, and it will work like in `sandbox.protect`.

View File

@ -33,9 +33,9 @@ local sandbox = {
local quota_supported = type(_G.jit) == "nil" local quota_supported = type(_G.jit) == "nil"
sandbox.quota_supported = quota_supported sandbox.quota_supported = quota_supported
-- PUC-Rio Lua 5.1 does not support deactivation of binary code -- PUC-Rio Lua 5.1 does not support deactivation of bytecode
local mode_supported = _ENV or type(_G.jit) == "table" local bytecode_blocked = _ENV or type(_G.jit) == "table"
sandbox.mode_supported = mode_supported sandbox.bytecode_blocked = bytecode_blocked
-- The base environment is merged with the given env option (or an empty table, if no env provided) -- The base environment is merged with the given env option (or an empty table, if no env provided)
-- --
@ -143,12 +143,9 @@ function sandbox.protect(code, options)
local f local f
if mode_supported then if bytecode_blocked then
f = assert(load(code, nil, options.mode, env)) f = assert(load(code, nil, 't', env))
else else
if options.mode then
error("options.mode is not supported on this environment (usually PUC-Rio Lua 5.1). Please unset options.mode")
end
f = assert(loadstring(code)) f = assert(loadstring(code))
setfenv(f, env) setfenv(f, env)
end end

View File

@ -9,19 +9,15 @@ describe('sandbox.run', function()
assert.equal(r, 'hello') assert.equal(r, 'hello')
end) end)
it('can run bytecode strings by default', function() if sandbox.bytecode_blocked then
local fn = function() end it('rejects bytecode', function()
assert.has_no.error(function() sandbox.run(string.dump(fn)) end)
end)
if sandbox.mode_supported then
it('can\'t run bytecode strings if given a \'t\' mode option', function()
local fn = function() end local fn = function() end
assert.error(function() sandbox.run(string.dump(fn), { mode = 't' }) end) assert.error(function() sandbox.run(string.dump(fn)) end)
end) end)
else else
it('throws an error if the mode option is used', function() it('accepts bytecode (PUC Rio 5.1)', function()
assert.error(function() sandbox.run("", { mode = 't' }) end) local fn = function() end
assert.has.no.error(function() sandbox.run(string.dump(fn)) end)
end) end)
end end