From 9a531a894553aa61cc9feaa467102f5af0002515 Mon Sep 17 00:00:00 2001 From: program-- Date: Wed, 9 Nov 2022 13:50:43 -0800 Subject: [PATCH] fix: set package module to nil in lua namespace; prevents calling loaders --- internal/server/scripts.go | 3 +++ tests/scripts_test.go | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/server/scripts.go b/internal/server/scripts.go index c5bc904d..657267ab 100644 --- a/internal/server/scripts.go +++ b/internal/server/scripts.go @@ -124,6 +124,9 @@ func (pl *lStatePool) New() *lua.LState { } } + // Set package module to Nil so loaders can't be accessed + L.SetGlobal("package", lua.LNil) + getArgs := func(ls *lua.LState) (evalCmd string, args []string) { evalCmd = ls.GetGlobal("EVAL_CMD").String() diff --git a/tests/scripts_test.go b/tests/scripts_test.go index 13d03979..82f7abcc 100644 --- a/tests/scripts_test.go +++ b/tests/scripts_test.go @@ -71,6 +71,7 @@ func scripts_VULN_test(mc *mockServer) error { {"EVAL", "return os.getenv", "0"}, {nil}, {"EVAL", "return os.clock", "0"}, {"ERR Unsupported lua type: function"}, {"EVAL", "return loadfile", "0"}, {nil}, - {"EVAL", "return tonumber", "0"}, {"ERR Unsupported lua type: function"}, + {"EVAL", "return tonumber(ARGV[1])", "0", "38"}, {"38"}, + {"EVAL", "return package", "0"}, {nil}, }) }