Reputation: 3161
I am part of a popular forum that is all about sharing/selling Lua scripts, some are open source, some are not.
I would like to know if there is an automated way of identifying if a certain Lua script contains malicious code, for example : os.execute('format C:') , or just any os.execute command.
Because, even if we require the user to provide the moderators with a open source copy of his script, how can we be sure if it's the same? or he changes the link to his script.
Thanks in advance.
Upvotes: 2
Views: 3191
Reputation: 26794
Run the scripts inside a sandbox and only allow for the safe commands to be executed. For example, disable os.execute
. See Lua SandBoxes wiki page for Lua-specific details.
If you need to allow calls like os.execute
, but need to filter out some calls, then there is probably not much chance to secure it based on code review. What if the code includes something like os.execute('for'..'mat C'..string.char(58))
? You can't even detect that it's 'format C:' without some code execution.
Upvotes: 2