Re: [ANN] Simple Luajit Sandbox
- From: Meae Flowright <scratchnloved@xxxxxxxxx>
- To: luajit@xxxxxxxxxxxxx
- Date: Wed, 17 Dec 2014 10:15:17 -0500
It's mandatory to specify a few maximum parameters when you're loading the
script. From the readme:
privs={
time_unit=1, --seconds allowed per call
time_total=2, --seconds allowed total
memory_unit=4, --kb allowed per call
memory_total=8, --kb allowed total
maxlength=math.huge, --characters allowed in code
}
It does some simple accounting to keep the lifetime totals.
--Meae
On Wed, Dec 17, 2014 at 10:09 AM, steve donovan <steve.j.donovan@xxxxxxxxx>
wrote:
>
> On Wed, Dec 17, 2014 at 5:03 PM, Meae Flowright <scratchnloved@xxxxxxxxx>
> wrote:
> > By not passing default string operators, most of which aren't safe, to
> the
> > environment. The sandbox overloads the string type metatable with the
> > environment's string table if provided, otherwise it uses an empty table.
>
> That's the sensible thing to do (e.g Penlight's pretty.load has a
> paranoid option)
>
> Roberto pointed out that one can still cause mayhem with simple string
> concatenation:
> L = "lol"
> L = L..L..L..L..L..L..L
> L = L..L..L..L..L..L..L
> L = L..L..L..L..L..L..L
> ....
>
> What kinds of space/time contraints can you impose on the running scripts?
>
>
Other related posts:
