From 549e31e7cde89e3d1dba7826c3e538b10d74a2af Mon Sep 17 00:00:00 2001 From: kikito Date: Fri, 13 Sep 2013 13:26:08 +0200 Subject: [PATCH] made _G available as a mocked up env inside the sandboxed env --- sandbox.lua | 3 ++- spec/sandbox_spec.lua | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/sandbox.lua b/sandbox.lua index eb76363..19eea01 100644 --- a/sandbox.lua +++ b/sandbox.lua @@ -36,7 +36,7 @@ local BASE_ENV = {} -- * {set|get}metatable: can be used to modify the metatable of global objects (strings, integers) -- * collectgarbage: can affect performance of other systems -- * dofile: can access the server filesystem --- * _G: It has access to everything. It could be mocked though. +-- * _G: It has access to everything. It can be mocked to other things though. -- * load{file|string}: All unsafe because they can grant acces to global env -- * raw{get|set|equal}: Potentially unsafe -- * module|require|module: Can modify the host settings @@ -116,6 +116,7 @@ function sandbox.protect(f, options) local quota = options.quota or 500000 local env = merge(options.env or {}, BASE_ENV) + env._G = env._G or env setfenv(f, env) diff --git a/spec/sandbox_spec.lua b/spec/sandbox_spec.lua index b7b3317..e81e819 100644 --- a/spec/sandbox_spec.lua +++ b/spec/sandbox_spec.lua @@ -23,7 +23,6 @@ describe('sandbox.run', function() it('does not allow access to not-safe stuff', function() assert_error(function() sandbox.run('return setmetatable({}, {})') end) assert_error(function() sandbox.run('return string.rep("hello", 5)') end) - assert_error(function() sandbox.run('return _G.string.upper("hello")') end) end) end) @@ -88,8 +87,10 @@ describe('sandbox.run', function() describe('when given an env option', function() - it('is available on the sandboxed env', function() - assert_equal(1, sandbox.run("return foo", {env = {foo = 1}})) + it('is available on the sandboxed env as the _G variable', function() + local env = {foo = 1} + assert_equal(1, sandbox.run("return foo", {env = env})) + assert_equal(env, sandbox.run("return _G", {env = env})) end) it('does not hide base env', function()