Preventing Sandbox Escapes
Block debug library access, rawget/rawset misuse, and upvalue leaks.
The Escape Problem
Even with a whitelist environment, creative attackers may find ways to access the real global environment. This lesson covers known escape vectors and how to close them.
String Metatable Exploit
In Lua, strings have a shared metatable that exposes the string library. Sandboxed code can use a string to get a reference to string.rep and from there reach other libraries.
-- Escape vector (before patching):
local s = "hello"
local getenv = s.rep -- reaches string library
-- Fix: use setmetatable on all sandboxed strings (not practical)
-- Better fix: override debug.getmetatable in the sandboxAll lessons in this course
- The _ENV Model in Lua 5.2+
- Building a Restricted Sandbox
- Preventing Sandbox Escapes
- Resource Limits and Instrumentation