Lupa可以用于在python中运行不受信任的lua代码吗? [英] Can Lupa be used to run untrusted lua code in python?
问题描述
register_eval=False
和attribute_filter
创建了一个LuaRuntime
,它阻止了除少数python函数外的任何访问.是否可以安全地假设lua代码将无法执行os.system("rm -rf *")
或类似的操作?通过查看的操作.
要控制lua脚本在哪种环境下运行,可以在运行脚本之前使用setfenv
和getfenv
对其进行沙箱处理.例如:
import lupa
L = lupa.LuaRuntime()
sandbox = L.eval("{}")
setfenv = L.eval("setfenv")
sandbox.print = L.globals().print
sandbox.math = L.globals().math
sandbox.string = L.globals().string
sandbox.foobar = foobar
# etc...
setfenv(0, sandbox)
现在执行类似L.execute("os.execute('rm -rf *')")
的操作将导致脚本错误.
Let's say I create LuaRuntime
with register_eval=False
and an attribute_filter
that prevents access to anything except a few python functions. Is it safe to assume that lua code won't be able to do os.system("rm -rf *")
or something like that?
From looking at the Lupa doc:
Restricting Lua access to Python objects
Lupa provides a simple mechanism to control access to Python objects. Each attribute access can be passed through a filter function as follows...
It doesn't say anything about preventing or limiting access to facilities provided by Lua itself. If no other modifications are done to the LuaRuntime
environment then a lua script can indeed do something like os.execute("rm -rf *")
.
To control what kind of environment the lua script works in you can use the setfenv
and getfenv
to sandbox the script before running it. For example:
import lupa
L = lupa.LuaRuntime()
sandbox = L.eval("{}")
setfenv = L.eval("setfenv")
sandbox.print = L.globals().print
sandbox.math = L.globals().math
sandbox.string = L.globals().string
sandbox.foobar = foobar
# etc...
setfenv(0, sandbox)
Now doing something like L.execute("os.execute('rm -rf *')")
will result in a script error.
这篇关于Lupa可以用于在python中运行不受信任的lua代码吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!