Re: Custom readers and writer paths

[Albert Krewinkel <albert+pandoc-9EawChwDxG8hFhg+JK9F0w@public.gmane.org>]

John MacFarlane <jgm-TVLZxgkOlNX2fBVCVOL8/A@public.gmane.org> writes:

> I believe that currently one must specify the path to a custom
> Lua reader or writer: you can't put it in your data directory,
> as you can with a Lua filter, and it won't be found in your
> executable PATH.
>
> (Is that correct, Albert?)

I'm afraid it is.

> My question is whether we should change that.  I think it could
> be quite convenient to allow custom readers and writers to be
> distributed as Lua rocks.  You could then do `luarocks install
> cool-pandoc-writer` and it would put `cool-writer.lua` in the
> `bin` directory of your luarocks installation. Pandoc could then
> be trained to look in the executable path for a custom writer
> if it is not found locally.
>
> Alternatively, we could search a custom-writers and custom-readers
> subdirectory of the user data directory (as we do with filters).

I like both options, with a slight preference for the latter.

> It is a little cumbersome to have to copy the default
> writer/reader somewhere and pass its path to pandoc.  This may
> be good from a security point of view, however, as it makes it
> less likely that people will blindly use custom readers/writers
> from third parties, not realizing that a custom reader/writer
> could in principle do just about anything on your file system.

AFAIK, luarocks is rather relaxed when it comes to security. Just
installing a rock can lead to the execution of arbitrary code. I don't
feel like we should be too worried about the security implications of
running an already installed Lua library.

I'm not sure if it's better or worse, but we could also look for the
reader in LUA_PATH (via `require`). Using a bit of pseudo-code:

    if file_exists(reader_path) then
      dofile(reader_path)
      reader = Reader
    else
      reader = require (reader_path:gsub('.lua$', ''))
    end

The reader library would have to `return` the Reader function instead of
just defining it as a global.

> A related question: would it be possible for pandoc to set up
> the Lua environment in which custom readers/writers are run so
> that it is "sandboxed," limiting I/O operations to (e.g.) a
> local directory, or perhaps logging I/O operations as pandoc
> warnings?

It would be a lot of work. Julien Dutant asked a similar question
recently, and I listed my concerns there:
https://groups.google.com/g/pandoc-discuss/c/2dMimbemNpM/m/pLXPk4p0AQAJ


-- 
Albert Krewinkel
GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124