It is very necessary to run dynamic Lua script code in a sandbox. Only then there is no chance for the user's serverless code to break the Lua runtime.
Once this malicious code modifies Lua's runtime, it has a chance to affect all requests. On Thu, Mar 31, 2022 at 8:20 PM shirui zhao <zhaoth...@gmail.com> wrote: > In the design of Apache APISIX, the code running in serverless allows > users to inject through configuration. So I am more inclined to think that > these hot-loaded codes are a kind of configuration, then it is a very bad > thing that the user's configuration causes Apache APISIX to crash. If the > serverless plugin itself crashes due to hot code, it is ok, but other > plugins and Apache APISIX core should be guaranteed to run stably. > > But this is actually difficult to do. For example, as I described in the > issue, users can easily manipulate ngx.var or ngx.ctx to cause Apache > APISIX to crash. If we limit this, the serverless plugin itself will lose > its flexibility. > > So can we only do some simple protection to restrict the use of some APIs? > Such as: setmatetable, package, io, os… > > — > Shirui Zhao > > > 2022年3月31日 上午11:41,Ming Wen <wenm...@apache.org> 写道: > > > > I'm not sure if sandbox is a good idea. > > Generally speaking, these serverless codes are written by engineers > > themselves. If there are security issues, custom plugins are facing the > > same issue. > > Sanbox is more suitable for uncontrolled environments, such as you > provide > > a SaaS service that allows users to run their own code. > > > > Thanks, > > Ming Wen, Apache APISIX PMC Chair > > Twitter: _WenMing > > > > > > ZhengSong Tu <tzssanggl...@gmail.com> 于2022年3月31日周四 11:24写道: > > > >> It is difficult to list all safe functions in the whitelist. > >> > >> It's not even possible to tell which functions are safe and which ones > are > >> not. > >> > >> *ZhengSong Tu* > >> My GitHub: https://github.com/tzssangglass > >> Apache APISIX: https://github.com/apache/apisix > >> > >> > >> 在 2022年3月31日 11:18:35 上,Kwanhur Huang <huang_hua2...@163.com> 写道: > >> > >>> Why not whitelist? A list of function allow to use will be better. > >>> > >>> > >>> Kwanhur Huang > >>> TL;DR > >>> > >>> 2022年3月30日 下午1:55,shirui zhao <zhaoth...@gmail.com> 写道: > >>> > >>> > >>> Hello, community, > >>> > >>> > >>> I noticed that Apache APISIX supports serverless plugins for hot > loading > >>> user's code, which is a very nice feature. However, Apache APISIX does > >> not > >>> seem to limit the execution environment of these hot codes, and there > may > >>> be some risks. > >>> > >>> The hot code loaded by lua and the framework code of the entire system > >> run > >>> in the same context. If there is an operation to operate the global > >>> environment in the hot loaded code, it will affect the function of the > >>> entire system. I wrote a simple in the issue. example[1]. Worse yet, > if a > >>> hacker uses malicious code, it could exploit this feature to attack the > >>> user's operating system. > >>> > >>> > >>> So I think Apache APISIX can add a layer of protection when executing > hot > >>> code, so that hot code can run in a sandbox. Here is an article[2] > >>> describing how to use sandboxing in lua code to safely execute hot > code, > >> we > >>> can refer to it. > >>> > >>> I personally think setting a blacklist of safe functions is more > >>> appropriate. What is everyone's opinion? Is there a better way to > achieve > >>> this? Welcome to discuss. > >>> > >>> > >>> [1]: https://github.com/apache/apisix/issues/6729 > >>> > >>> [2]: http://lua-users.org/wiki/SandBoxes > >>> > >>> > >>> > >>> -- > >>> > >>> Thanks, > >>> > >>> Shirui Zhao > >>> > >>> > >>> > >>> > >>> > >> > > -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix
