made _G available as a mocked up env inside the sandboxed env

sandbox.lua

@@ -36,7 +36,7 @@ local BASE_ENV = {}
 -- * {set|get}metatable: can be used to modify the metatable of global objects (strings, integers)
 -- * collectgarbage: can affect performance of other systems
 -- * dofile: can access the server filesystem
--- * _G: It has access to everything. It could be mocked though.
+-- * _G: It has access to everything. It can be mocked to other things though.
 -- * load{file|string}: All unsafe because they can grant acces to global env
 -- * raw{get|set|equal}: Potentially unsafe
 -- * module|require|module: Can modify the host settings
@@ -116,6 +116,7 @@ function sandbox.protect(f, options)
 
   local quota = options.quota or 500000
   local env   = merge(options.env or {}, BASE_ENV)
+  env._G = env._G or env
 
   setfenv(f, env)
 

spec/sandbox_spec.lua

@@ -23,7 +23,6 @@ describe('sandbox.run', function()
     it('does not allow access to not-safe stuff', function()
       assert_error(function() sandbox.run('return setmetatable({}, {})') end)
       assert_error(function() sandbox.run('return string.rep("hello", 5)') end)
-      assert_error(function() sandbox.run('return _G.string.upper("hello")') end)
     end)
   end)
 
@@ -88,8 +87,10 @@ describe('sandbox.run', function()
 
 
   describe('when given an env option', function()
-    it('is available on the sandboxed env', function()
+    it('is available on the sandboxed env as the _G variable', function()
-      assert_equal(1, sandbox.run("return foo", {env = {foo = 1}}))
+      local env = {foo = 1}
+      assert_equal(1, sandbox.run("return foo", {env = env}))
+      assert_equal(env, sandbox.run("return _G", {env = env}))
     end)
 
     it('does not hide base env', function()