Jump to content




Sandboxing


  • You cannot reply to this topic
1 reply to this topic

#1 MindenCucc

  • Members
  • 179 posts
  • Location/home/marcus/

Posted 13 May 2015 - 09:36 PM

I know that there are some questions about sandboxes, but the question is the same: is this sandbox safe? If not, then how could I improve it?

http://pastebin.com/SmHTkBQe

Usage:
new(function:sandboxed function, table:table used for the function environment, table:ignores table indexes (indicies?) from the underlying environment, table:underlying environment)

All of the parameters are optional.

Example:
local func = loadfile("test")
local env = { cheese = "garlic" }
sand.new(func, env, { lw = true, debug = true }, getfenv())

I'm not asking about fs safety. My question is, that is it possible, to access / break out to parent fenv using this sandbox?

//off-topic: there should be a topic about sandboxes, and breaking methods :P Because a lot of these kind of posts could be avoided.

Edited by MindenCucc, 13 May 2015 - 09:43 PM.


#2 SquidDev

    Frickin' laser beams | Resident Necromancer

  • Members
  • 1,427 posts
  • LocationDoes anyone put something serious here?

Posted 14 May 2015 - 08:02 AM

Yes. I haven't tested but a brief read of your code means I can do:

setfenv(function()
  -- Hehehe, I'm executing in the global namespace
end, _G)

even if you sandbox _G I can do:

local _G = getfenv(aSandboxedFunction)

There is a topic on the main Lua website about sandboxes.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users