Can lupa be used to run untrusted lua code in python?

Question

Can lupa be used to run untrusted lua code in python?

Let's say I create a LuaRuntime with register_eval=False and attribute_filter , which prevents access to anything other than a few python functions. Can it be assumed that lua code will not be able to execute os.system("rm -rf *") or something like that?

+4

python lua lupa

ramirami Jul 03 '13 at 17:13

source share

1 answer

greatwolf · Accepted Answer · 2013-07-03T18:22:10+0000

From a look at the Lupa doc :

Limiting Lua access to Python objects
Lupa provides a simple mechanism for controlling access to Python objects. Each attribute access can be passed through a filter function as follows:

It does not say anything about preventing or restricting access to funds provided by Lua itself. If no other changes are made to the LuaRuntime environment, then the lua script can really do something like os.execute("rm -rf *") .

To control what environment the lua script is running in, you can use setfenv and getfenv in the sandbox script before running it. For instance:

 import lupa L = lupa.LuaRuntime() sandbox = L.eval("{}") setfenv = L.eval("setfenv") sandbox.print = L.globals().print sandbox.math = L.globals().math sandbox.string = L.globals().string sandbox.foobar = foobar # etc... setfenv(0, sandbox)

Now executing something like L.execute("os.execute('rm -rf *')") will result in a script error.

Can lupa be used to run untrusted lua code in python?

More articles: