Is there anyway to avoid this security issue in Lua?

Question

I was just working on a localizable Lua string solution, when I came up with this hack, problem is I don't know how to avoid getting hacked by it :) So I was wondering if anyone, has done something similar and or knows how to protect from this kind of attack. (in user code)

Since we can do this:

=("foo"):upper() -->output: FOO

It can be hacked like this:

getmetatable("foo").__index.upper = function() print("bye bye sucker");os.exit() end
=("foo"):upper() -->output: bye bye sucker (application quits)
-- or this way
=string.upper("bar") -->output: bye bye sucker (application quits)

Any ideas?

Answer 1

First and foremost execute untrusted code in sandboxed environment only – as it was said by other posters. Except for loading bytecode chunks, Lua allows all other sandboxing issues to be covered. (And bytecode chunk problems get fixed promptly as discovered.)

See Lua Live Demo for an example of sandboxing. Sources are available here.

Your specific problem with metatables is solved by setting a __metatable field:

If you set a __metatable field in the metatable, getmetatable will return the value of this field, whereas setmetatable will raise an error.

– Roberto Ierusalimschy, Programming in Lua 1st edition, 13.3 - Library-Defined Metamethods

For example:

> mt = { __metatable = true }                                                   
> t = {}
> setmetatable(t, mt)
> setmetatable(t, mt)
stdin:1: cannot change a protected metatable
stack traceback:
 [C]: in function 'setmetatable'
 stdin:1: in main chunk
 [C]: ? 

So, all you have to do is:

getmetatable("").__metatable = true

Answer 2

If your hacker has the ability to add code, and you need to allow that code to call things like os.exit, then you're pretty much out of luck anyway.

You can restrict the functions that their code can call, though. It depends on what you still want user code to be able to do. See the doc for setfenv and google for "lua sandbox"