我只是在研究一个可本地化的 Lua 字符串解决方案,当我想出这个 hack 时,问题是我不知道如何避免被它攻击 :) 所以我想知道是否有人做过类似的事情或者知道如何以保护免受这种攻击。(在用户代码中)
因为我们可以这样做:
=("foo"):upper() -->output: FOO
它可以像这样被黑客入侵:
getmetatable("foo").__index.upper = function() print("bye bye sucker");os.exit() end
=("foo"):upper() -->output: bye bye sucker (application quits)
-- or this way
=string.upper("bar") -->output: bye bye sucker (application quits)
有任何想法吗?
First and foremost execute untrusted code in sandboxed environment only – as it was said by other posters. Except for loading bytecode chunks, Lua allows all other sandboxing issues to be covered. (And bytecode chunk problems get fixed promptly as discovered.)
See Lua Live Demo for an example of sandboxing. Sources are available here.
Your specific problem with metatables is solved by setting a __metatable field:
If you set a
__metatablefield in the metatable,getmetatablewill return the value of this field, whereassetmetatablewill raise an error.– Roberto Ierusalimschy, Programming in Lua 1st edition, 13.3 - Library-Defined Metamethods
For example:
> mt = { __metatable = true }
> t = {}
> setmetatable(t, mt)
> setmetatable(t, mt)
stdin:1: cannot change a protected metatable
stack traceback:
[C]: in function 'setmetatable'
stdin:1: in main chunk
[C]: ?
So, all you have to do is:
getmetatable("").__metatable = true
如果您的黑客能够添加代码,并且您需要允许该代码调用诸如 os.exit 之类的东西,那么无论如何您都非常不走运。
不过,您可以限制他们的代码可以调用的函数。这取决于您仍然希望用户代码能够做什么。请参阅 setfenv 的文档和 google 的“lua 沙盒”文档
我不确定您为什么会遇到问题,因为您可能已经了解沙盒:您可以删除像 io.exit 这样的危险函数,并且可以确保被覆盖的函数只是用户全局表中的函数,即。应用程序内部使用的 Lua 函数将保持不变。
无论如何,如果黑客可以直接调用 os.exit,那么他可以通过对他稍后将使用的无辜函数进行增压而将自己开枪打死自己的事实是他的问题。
此外,只有在您的服务器上运行用户功能时才会出现问题,例如:如果黑客再次破坏了他的系统,那就是他的问题!
现在,还有分发危险代码的问题:由您来限制用户脚本的权力。毕竟,这就是浏览器对 JavaScript 所做的事情。
This security problem is typically illustrated with this sentence, said by Ford Prefect in the brilliant books The Hitchhiker's Guide to the Galaxy: It rather involved being on the other side of this airtight hatchway
My ability to write code cannot be said to be a security vulnerability, and if you can't control your code, that is your security problem, not what that code can do.
There are tons and tons of things you can do if you can just get the machine to execute some of your code. The security is to avoid getting the code in there in the first place. Everything after that is just collateral damage.
The way to avoid being hacked by that problem is to avoid getting unknown code into your application.
I don't see the possibility to redefine upper as the problem. Being able to see os.exit is the problem.
As suggested by others, make a sandboxed environment for your scripts. Each script can get a new one; then a person can redefine upper or anything like that, and all they'll screw up is their own thing.
Creating Lua states is so fast and easy, this won't cause any problems.
Another thing you might beware of is eternal loops. Making a 'watchdog' that kills a script after, say, 10000 instructions takes about 10 lines of C code. I can send you sample if you need.
I have no solution (I don't use Lua, I'm just interested in it from afar), but what you're after is called a "sandbox". Google for Lua sandbox, I found a few seemingly interesting pages that way. For example: http://lua-users.org/wiki/SandBoxes.