Lua Why is “required” unsafe for use in a sandbox environment?

Question

Lua Why is “required” unsafe for use in a sandbox environment?

Through this page, http://lua-users.org/wiki/SandBoxes require is marked as unsafe, but because:

modifies global variables (e.g. package.loaded)
provides access to environments outside the sandbox
and accesses the file system

Almost all pure Lua libraries use "require", so not being safe is a huge pain because you cannot use pure Lua libraries. I do not understand these unsafe reasons. It uploads other Lua files to the library. Why is it unsafe?

+4

lua

user441521 Jul 26 '16 at 17:31

source share

2 answers

, , .

require, . , , , "" .

+3

Paul Kulchenko 26 . '16 17:59

Adam · Accepted Answer · 2016-07-26T19:15:37+0000

Demand loading and executing code in a global environment.

, (Lua >= 5.2):

-- example.lua
my_global = 42

local sandbox
do
  local _ENV = { require = require, print = print }

  function sandbox()
    print('<sandbox> my_global =', my_global)
    require 'example_module'
  end
end

print('<global> my_global =', my_global)
sandbox()
print('<global> my_global =', my_global)

, my_global:

-- example_module.lua
print('<module> my_global =', my_global)
my_global = nil

, require print. my_global.

, :

$ lua example.lua
<global> my_global =    42      -- The global environment, Ok.
<sandbox> my_global =   nil     -- Inside the sandbox, Ok.
<module> my_global =    42      -- Inside the sandbox, but loaded with require. Whoops, we have access to the global environment.
<global> my_global =    nil     -- The module changed the value and it is reflected in the global environment.

.

Lua Why is “required” unsafe for use in a sandbox environment?

More articles: