By not passing default string operators, most of which aren't safe, to the environment. The sandbox overloads the string type metatable with the environment's string table if provided, otherwise it uses an empty table. For string.rep specifically, perhaps you would use something like: function env.string.rep(s, n, sep) local len=#s*n + (sep and #sep or 0)*(n-1) if len>limit then error 'Resulting string was too long' end return string.rep(s, n, sep) end On Wed, Dec 17, 2014 at 9:51 AM, Elias Hogstvedt <eliashogstvedt@xxxxxxxxx> wrote: > > how would you handle string operations like ("a"):rep(9999999) ? > > On Tue, Dec 16, 2014 at 7:19 PM, Meae Flowright <scratchnloved@xxxxxxxxx> > wrote: >> >> https://github.com/Meae/luajit-sandbox >> I've put together a basic sandbox for luajit to resemble the coroutine >> library, prioritizing safety and simplicity over efficiency. The accounting >> isn't perfectly accurate, and environment sharing is intentionally allowed. >> If anyone sees other problems, particularly holes, please let me know! >> >> --Meae >> >