Can Lupa be used to run untrusted lua code in python?

Question

Let's say I create LuaRuntime with register_eval=False and an attribute_filter that prevents access to anything except a few python functions. Is it safe to assume that lua code won't be able to do os.system("rm -rf *") or something like that?

Answer 1

From looking at the Lupa doc:

Restricting Lua access to Python objects

Lupa provides a simple mechanism to control access to Python objects. Each attribute access can be passed through a filter function as follows...

It doesn't say anything about preventing or limiting access to facilities provided by Lua itself. If no other modifications are done to the LuaRuntime environment then a lua script can indeed do something like os.execute("rm -rf *").

To control what kind of environment the lua script works in you can use the setfenv and getfenv to sandbox the script before running it. For example:

import lupa
L = lupa.LuaRuntime()
sandbox = L.eval("{}")
setfenv = L.eval("setfenv")

sandbox.print   = L.globals().print
sandbox.math    = L.globals().math
sandbox.string  = L.globals().string
sandbox.foobar  = foobar
# etc...

setfenv(0, sandbox)

Now doing something like L.execute("os.execute('rm -rf *')") will result in a script error.