Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelisting when sandboxing a VM #348

Open
ragnarlonn opened this issue Oct 19, 2021 · 2 comments
Open

Whitelisting when sandboxing a VM #348

ragnarlonn opened this issue Oct 19, 2021 · 2 comments

Comments

@ragnarlonn
Copy link

ragnarlonn commented Oct 19, 2021
edited
Loading

Hi, and thanks for creating this great Golang Lua VM!

I've been trying to do some sandboxing and failed to find good support for it in gopher-lua. The methods suggested by @yuin and others (in e.g. issue #11) are all about blacklisting functionality you want to disable, rather than whitelisting things you want to enable. Whitelisting is much better, but as of now, it seems you can only whitelist entire libraries (by creating the LState with the SkipOpenLibs option and then calling OpenXXX() for the libs you want to enable).

I find that I want to enable some functions in e.g. "os", but not all of them. It would be really neat if it was possible to select exactly what functionality you want from a library, when loading it. I may have found a way to do this without breaking the current API, but I'm new to this whole code base so sorry if I'm suggesting something completely stupid ;)

What if e.g. OpenBase() was defined as OpenBase(L *LState, enableFuncs ...string) and then OpenBase() does something like:

Below definition of OpenBase() is not correct. Look at next comment instead

func OpenBase(L *LState, enableFuncs ...string) int {
   ...
   baseFuncsToEnable := baseFuncs
   if len(enableFuncs) > 0 {
      baseFuncsToEnable := map[string]LGFunction{}
      for k, v := range baseFuncsToEnable {
         baseFuncsToEnable[k] = v
      }
   }
   basemod := L.RegisterModule("_G", baseFuncsToEnable)
   ...
}

Then old code should work, and it would be possible to specify a list of things you want added, when calling OpenBase():

L := lua.NewState(lua.Options{SkipOpenLibs: true})
defer L.Close()
enableBaseFunctions := []string{"assert","error","print","tonumber","tostring"}
OpenBase(L, enableBaseFunctions...)
@ragnarlonn
Copy link
Author

Uh, that code did not come out right. I meant something like this:

func OpenBase(L *LState, enableFuncs ...string) int {
   ...
   baseFuncsToEnable := baseFuncs
   if len(enableFuncs) > 0 {
      baseFuncsToEnable := map[string]LGFunction{}
      for _, funcName := range enableFuncs {
         baseFuncsToEnable[funcName] = baseFuncs[funcName]
      }
   }
   basemod := L.RegisterModule("_G", baseFuncsToEnable)
   ...
}

@ragnarlonn
Copy link
Author

Hmm, I just saw this is pretty much a duplicate of #255

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ragnarlonn