0Pricing
Lua Academy · Lesson

Preventing Sandbox Escapes

Block debug library access, rawget/rawset misuse, and upvalue leaks.

The Escape Problem

Even with a whitelist environment, creative attackers may find ways to access the real global environment. This lesson covers known escape vectors and how to close them.

String Metatable Exploit

In Lua, strings have a shared metatable that exposes the string library. Sandboxed code can use a string to get a reference to string.rep and from there reach other libraries.

-- Escape vector (before patching):
local s = "hello"
local getenv = s.rep  -- reaches string library
-- Fix: use setmetatable on all sandboxed strings (not practical)
-- Better fix: override debug.getmetatable in the sandbox

All lessons in this course

  1. The _ENV Model in Lua 5.2+
  2. Building a Restricted Sandbox
  3. Preventing Sandbox Escapes
  4. Resource Limits and Instrumentation
← Back to Lua Academy