I want to run user submitted Lua code within Python using Lupa. To do this safely, I want to sandbox the Lua code at source-code level. So far, I've managed to prevent the user-supplied code from accessing any dangerous Lua functions.
Now, I want to restrict the user-supplied Lua code from accessing any Python objects/functions.
I've tried to create an attribute_filter that always raises an AttributeError:
def filter_attribute_access(obj, attr_name, is_setting):
raise AttributeError('access denied')
and initialized the LuaRuntime as follows:
lua_no_py = lupa.LuaRuntime(
register_eval=False,
attribute_filter=filter_attribute_access)
But I can still use Python functions, including built in ones:
obj = [1, 2, 3]
lua_func = lua_no_py.eval('function(py_obj) return python.iter(py_obj) end')
res = lua_func(obj)
print(res)
How can you prevent user-supplied code from accessing any Python code? And how do you test that it's successful?
Make a first eval with this: