fix(sandboxing) allow string.rep in sandboxed environments

kikito · web-flow · commit 8052fb255362 · 2021-05-20T01:37:42.000+08:00
Reasoning: the idea behind limiting access to string.rep was disallowing a single operation from allocating too much memory. Given that in LuaJIT there are no debug hooks, it is trivial to implement a loop which allocates a lot of memory on every single iteration. Plus, given that the `string` table was global and obtainable via any sandboxed string, its sandboxing provoked issues on the global state. This change accepts `string.rep` in sandboxed environments as a practical compromise. Fixes Kong#7062 Fixes Kong#7133
diff --git a/kong/tools/kong-lua-sandbox.lua b/kong/tools/kong-lua-sandbox.lua
@@ -1,5 +1,5 @@
 local sandbox = {
-  _VERSION      = "kong-lua-sandbox 1.0",
+  _VERSION      = "kong-lua-sandbox 1.1",
   _DESCRIPTION  = "A pure-lua solution for running untrusted Lua code.",
   _URL          = "https://github.com/kong/kong-lua-sandbox",
   _LICENSE      = [[
@@ -43,7 +43,6 @@ local BASE_ENV = {}
 
 -- List of unsafe packages/functions:
 --
--- * string.rep: can be used to allocate millions of bytes in 1 operation
 -- * {set|get}metatable: can be used to modify the metatable of global objects (strings, integers)
 -- * collectgarbage: can affect performance of other systems
 -- * dofile: can access the server filesystem
@@ -74,8 +73,8 @@ math.sin   math.sinh math.sqrt  math.tan  math.tanh
 os.clock os.difftime os.time
 
 string.byte string.char  string.find  string.format string.gmatch
-string.gsub string.len   string.lower string.match  string.reverse
-string.sub  string.upper
+string.gsub string.len   string.lower string.match  string.rep
+string.reverse string.sub  string.upper
 
 table.insert table.maxn table.remove table.sort
 
@@ -104,16 +103,13 @@ end)
 
 -- auxiliary functions/variables
 
-local string_rep = string.rep
-
 local function sethook(f, key, quota)
   if type(debug) ~= 'table' or type(debug.sethook) ~= 'function' then return end
   debug.sethook(f, key, quota)
 end
 
 local function cleanup()
   sethook()
-  string.rep = string_rep -- luacheck: no global
 end
 
 -- Public interface: sandbox.protect
@@ -161,8 +157,6 @@ function sandbox.protect(code, options)
       sethook(timeout, "", quota)
     end
 
-    string.rep = nil -- luacheck: no global
-
     local t = table.pack(pcall(f, ...))
 
     cleanup()
diff --git a/spec/01-unit/020-sandbox_spec.lua b/spec/01-unit/020-sandbox_spec.lua
@@ -240,6 +240,11 @@ describe("sandbox functions wrapper", function()
           _G.kong.configuration = deep_copy(base_conf)
         end)
 
+        it("has access to string.rep", function()
+          assert.same("aaa", sandbox.sandbox("return string.rep('a', 3)")())
+          assert.is_true(sandbox.sandbox("return ('a'):rep(3) == 'aaa'")())
+        end)
+
         it("has access to config.untrusted_lua_sandbox_environment", function()
           for _, m in ipairs(modules) do
             assert.same(find(m, _G), sandbox.sandbox(fmt("return %s", m))())
