Wire up lua sandbox to detection

J0eJ0h · Jan 4, 2024 · 638ed0f · 638ed0f
1 parent a3a2924
commit 638ed0f
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 6 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -571,6 +571,7 @@ noinst_HEADERS = \
 	util-lua-http.h \
 	util-lua-ja3.h \
 	util-luajit.h \
+	util-lua-sandbox.h \
 	util-lua-smtp.h \
 	util-lua-ssh.h \
 	util-lua-tls.h \
@@ -1173,6 +1174,7 @@ libsuricata_c_a_SOURCES = \
 	util-lua-http.c \
 	util-lua-ja3.c \
 	util-luajit.c \
+	util-lua-sandbox.c \
 	util-lua-smtp.c \
 	util-lua-ssh.c \
 	util-lua-tls.c \

diff --git a/src/detect-lua.c b/src/detect-lua.c
@@ -91,6 +91,7 @@ void DetectLuaRegister(void)
 #else /* HAVE_LUA */
 
 #include "util-lua.h"
+#include "util-lua-sandbox.h"
 
 static int DetectLuaMatch (DetectEngineThreadCtx *,
         Packet *, const Signature *, const SigMatchCtx *);
@@ -105,6 +106,9 @@ static void DetectLuaRegisterTests(void);
 static void DetectLuaFree(DetectEngineCtx *, void *);
 static int g_smtp_generic_list_id = 0;
 
+// TODO: move to config
+static const uint64_t g_lua_alloc_limit = 500000, g_lua_instruction_limit = 500000;
+
 /**
  * \brief Registration function for keyword: lua
  */
@@ -605,7 +609,7 @@ static void *DetectLuaThreadInit(void *data)
     t->alproto = lua->alproto;
     t->flags = lua->flags;
 
-    t->luastate = LuaGetState();
+    t->luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
     if (t->luastate == NULL) {
         SCLogError("luastate pool depleted");
         goto error;
@@ -707,7 +711,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const
 {
     int status;
 
-    lua_State *luastate = luaL_newstate();
+    lua_State *luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
     if (luastate == NULL)
         return -1;
     luaL_openlibs(luastate);
@@ -989,10 +993,10 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const
 
     /* pop the table */
     lua_pop(luastate, 1);
-    lua_close(luastate);
+    sb_close(luastate);
     return 0;
 error:
-    lua_close(luastate);
+    sb_close(luastate);
     return -1;
 }
 

diff --git a/src/detect-lua.h b/src/detect-lua.h
@@ -27,6 +27,7 @@
 #ifdef HAVE_LUA
 
 #include "util-lua.h"
+#include "util-lua-sandbox.h"
 
 typedef struct DetectLuaThreadData {
     lua_State *luastate;

diff --git a/src/util-lua-sandbox.h b/src/util-lua-sandbox.h
@@ -21,6 +21,9 @@
  * \author Jo Johnson <[email protected]>
  */
 
+#ifndef __UTIL_LUA_SANDBOX_H__
+#define __UTIL_LUA_SANDBOX_H__
+
 #ifndef HAVE_LUA
 /* If we don't have Lua, create a typedef for sb_lua_State so the
  * exported Lua functions don't fail the build. */
@@ -85,4 +88,6 @@ void sb_resetinstructioncounter(lua_State *sb);
  */
 LUALIB_API void sb_loadrestricted(lua_State *L);
 
-#endif
+#endif /* HAVE_LUA */
+
+#endif /*  __UTIL_LUA_SANDBOX_H__ */
diff --git a/src/util-lua.c b/src/util-lua.c
@@ -55,6 +55,7 @@
 #include <lauxlib.h>
 
 #include "util-lua.h"
+#include "util-lua-sandbox.h"
 
 lua_State *LuaGetState(void)
 {
@@ -77,7 +78,7 @@ void LuaReturnState(lua_State *s)
 #ifdef HAVE_LUAJIT
         LuajitReturnState(s);
 #else
-        lua_close(s);
+        sb_close(s);
 #endif
     }
 }