open-autonomous-connection/luaj
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

globals.load(new PackageLib()) is necessary? #118

New Issue
Closed
opened 2024-09-18 08:01:10 +00:00 by qiuhuanhen · 1 comment
qiuhuanhen commented 2024-09-18 08:01:10 +00:00 (Migrated from github.com)
Copy Link

Using the lua script in java code, and to reduce the risk, I want to just use the base module,(not all of JsePlatform.standardGlobals()),
it's the config code:

`public class LuaConfig {
private final Globals globals;

public LuaConfig() {

    globals = new Globals();
    globals.load(new JseBaseLib());
    
    // exclude the PackageLib   (管理 Lua 模块和包。允许通过该require()函数加载外部 Lua 模块)
    //globals.load(new PackageLib());
    
    globals.load(new Bit32Lib());
    globals.load(new TableLib());
    globals.load(new StringLib());
    globals.load(new JseMathLib());
    
    LoadState.install(globals);
    LuaC.install(globals);
}

public LuaValue executeLuaScript(String script) {
    // load and exec the script  (加载并执行 Lua 脚本)
    LuaValue chunk = globals.load(script);
    return chunk.call();
}

}`

and throw expection Caused by: org.luaj.vm2.LuaError: attempt to index ? (a nil value) ,
after deubg I found only the JseBaseLib moudle can be loaded without PackageLib;

If load PackageLib , how could I only use the base function and avoid the risk of PackageLib moudule (avoid the Injection Attacks )?

could it be safety completed by next code ?
`
// load other ...
globals.load(new PackageLib());

// don't use require
globals.set("require", LuaValue.NIL);
// load other ...
`

Using the lua script in java code, and to reduce the risk, I want to just use the base module,(not all of JsePlatform.standardGlobals()), it's the config code: `public class LuaConfig { private final Globals globals; public LuaConfig() { globals = new Globals(); globals.load(new JseBaseLib()); // exclude the PackageLib (管理 Lua 模块和包。允许通过该require()函数加载外部 Lua 模块) //globals.load(new PackageLib()); globals.load(new Bit32Lib()); globals.load(new TableLib()); globals.load(new StringLib()); globals.load(new JseMathLib()); LoadState.install(globals); LuaC.install(globals); } public LuaValue executeLuaScript(String script) { // load and exec the script (加载并执行 Lua 脚本) LuaValue chunk = globals.load(script); return chunk.call(); } }` and throw expection Caused by: org.luaj.vm2.LuaError: attempt to index ? (a nil value) , after deubg I found only the JseBaseLib moudle can be loaded without PackageLib; If load PackageLib , how could I only use the base function and avoid the risk of PackageLib moudule (avoid the Injection Attacks )? could it be safety completed by next code ? ` // load other ... globals.load(new PackageLib()); // don't use require globals.set("require", LuaValue.NIL); // load other ... `
qiuhuanhen commented 2024-09-18 08:05:32 +00:00 (Migrated from github.com)
Copy Link

the risk scene could be looked at : script as param in http request

the risk scene could be looked at : script as param in http request
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
dependencies
Pull requests that update a dependency file
 duplicate
enhancement
help wanted
invalid
question
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
open-autonomous-connection
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: open-autonomous-connection/luaj#118
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?