How to Identify malicious code inside lua scripts that may be obfuscated/encrypted

Question

I am part of a popular forum that is all about sharing/selling Lua scripts, some are open source, some are not.

I would like to know if there is an automated way of identifying if a certain Lua script contains malicious code, for example : os.execute('format C:') , or just any os.execute command.

Because, even if we require the user to provide the moderators with a open source copy of his script, how can we be sure if it's the same? or he changes the link to his script.

Thanks in advance.

Answer 1

Run the scripts inside a sandbox and only allow for the safe commands to be executed. For example, disable os.execute. See Lua SandBoxes wiki page for Lua-specific details.

If you need to allow calls like os.execute, but need to filter out some calls, then there is probably not much chance to secure it based on code review. What if the code includes something like os.execute('for'..'mat C'..string.char(58))? You can't even detect that it's 'format C:' without some code execution.