Can Lupa be used to run untrusted lua code in python? -

-

let's create luaruntime register_eval=false , attribute_filter prevents access except few python functions. safe assume lua code won't able os.system("rm -rf *") or that?

from looking @ lupa doc:

restricting lua access python objects

lupa provides simple mechanism control access python objects. each attribute access can passed through filter function follows...

it doesn't preventing or limiting access facilities provided lua itself. if no other modifications done luaruntime environment lua script can indeed os.execute("rm -rf *").

to control kind of environment lua script works in can use setfenv , getfenv sandbox script before running it. example:

import lupa l = lupa.luaruntime() sandbox = l.eval("{}") setfenv = l.eval("setfenv")  sandbox.print   = l.globals().print sandbox.math    = l.globals().math sandbox.string  = l.globals().string sandbox.foobar  = foobar # etc...  setfenv(0, sandbox)

now doing l.execute("os.execute('rm -rf *')") result in script error.


Comments

Post a Comment

Popular posts from this blog

html - Styling progress bar with inline style -

-
i trying set progress bar color red using inline style. need in way because have access <body> part of document. style need apply: progress { color: red } progress::-moz-progress-bar { background: red;} progress::-webkit-progress-value { background: red; } progress[aria-valuenow]:before { background: red; } i tried <progress style="background: red;"> incorrect effect, progress bar color turns blue red background. guide right direction desired style? thank in advance. here live example: https://jsfiddle.net/z36d3f6l/
Read more

java - Oracle Sql developer error: could not install some modules -

-
i have downloaded fresh copy of sqldeveloper ( sqldeveloper-4.1.3.20.78-no-jre ) oracle website. when unzip , lauch gui, keep getting following error message: warning - not install modules: dynamic module config - no module providing capability org.netbeans.netbinox found. my system: windows 7 32 bit hp probook. jdk 1.6 , 1.7, 1.8 available in java/jdk subdirectory. netbeans 8.0.2 installed finally got way out after dirty hours. extracted sqldeveloper zip in nested directory. i.e: e://a/b/c/sqldeveloper. starting sqldeveloper gui above directory threw erros. solution: go in c:\users**username**\appdata\roaming : delete sql developer , sqldeveloper folders extract sql developer zip in new non nested directory. i.e: e:// start , should work now reference: https://community.oracle.com/thread/3870680?start=0&tstart=0
Read more

How to use autoclose brackets in Jupyter notebook? -

-
this may sound silly question, how make use of autoclose brackets in jupyter notebook? example, when type print( jupyter notebook auto-closes brakets print() and places cursor inside. type argument, say print(1 + 1) now cursor between second 1 , right bracket ) . key navigate right of ) ? of course can press end or → or ) achieve this, not seem save time, purpose of brackets autoclose suppose? thanks in advance.
Read more