Lua filter security: safe mode?

Lua filter security: safe mode?

[Julien Dutant]

[-- Attachment #1.1: Type: text/plain, Size: 941 bytes --]

Hi all,

As discussed a while ago on 
https://github.com/pandoc/lua-filters/issues/207#issuecomment-1067959808 
and said in Pandoc's manual, running Lua filters downloaded from internet 
is a security risk as Pandoc is run with full privileges. 

But doesn't all the risk only comes for Lua's `os` module (and perhaps 
io?), which few filters actually use? If so, would it be possible for 
Pandoc to run Lua filters without this module, providing an alternative 
flag (something like --lua-filter-safe) to run a filter safely?

J

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/13cd1f3a-bc26-49cf-a7df-ec8d56fcf05an%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 1297 bytes --]

Re: Lua filter security: safe mode?

[Albert Krewinkel]

Julien Dutant <julien.dutant-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> As discussed a while ago on
> https://github.com/pandoc/lua-filters/issues/207#issuecomment-1067959808
> and said in Pandoc's manual, running Lua filters downloaded from
> internet is a security risk as Pandoc is run with full privileges.
>
> But doesn't all the risk only comes for Lua's `os` module (and perhaps
> io?), which few filters actually use? If so, would it be possible for
> Pandoc to run Lua filters without this module, providing an alternative
> flag (something like --lua-filter-safe) to run a filter safely?

I had the intention of building a safe Lua filter system, but have given
up on that. There are just too many things that could go wrong.

For one, there are just too many potentially risky Lua functions.
Basically all functions in the `os` and `io` modules are unsafe, as are
`load`, `loadfile`, `dofile`, and `require`. Most functions in
`pandoc.system`, and `pandoc.mediabag` are problematic, as are the
functions `pandoc.utils.pipe` and `pandoc.utils.run_json_filter`, both
of which allow to run arbitrary programs. Even seemingly innocent
functions like `pandoc.read` and `pandoc.references` can be used to
access the file system and could be used to exfiltrate information.

But the main reason for not attempting such a thing is actually that I
have security concerns about the basic pandoc-Lua-bridge. I'm not
confident enough that we could reliably prevent sandbox escapes; nobody
ever did an security audit of HsLua. I *think* there are no obvious
exploits, but I still wouldn't want to label something as "safe" unless
I'm 100% sure that the description is justified.

TL;DR: Implementing `--lua-filter-safe` might be possible, but it would
require a lot of work as well as expertise that's different from mine.

-- 
Albert Krewinkel
GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124

Re: Lua filter security: safe mode?

[Albert Krewinkel]

Addendum: If you'd like to allow users to run arbitrary filters, then
consider to run pandoc in a virtual machine. That step should ensure
sufficient isolation of the process. Maybe even just a Docker container
would be ok, but see <https://security.stackexchange.com/q/107850>


Albert Krewinkel <albert+pandoc-9EawChwDxG8hFhg+JK9F0w@public.gmane.org> writes:

> Julien Dutant <julien.dutant-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>
>> As discussed a while ago on
>> https://github.com/pandoc/lua-filters/issues/207#issuecomment-1067959808
>> and said in Pandoc's manual, running Lua filters downloaded from
>> internet is a security risk as Pandoc is run with full privileges.
>>
>> But doesn't all the risk only comes for Lua's `os` module (and perhaps
>> io?), which few filters actually use? If so, would it be possible for
>> Pandoc to run Lua filters without this module, providing an alternative
>> flag (something like --lua-filter-safe) to run a filter safely?
>
> I had the intention of building a safe Lua filter system, but have given
> up on that. There are just too many things that could go wrong.
>
> For one, there are just too many potentially risky Lua functions.
> Basically all functions in the `os` and `io` modules are unsafe, as are
> `load`, `loadfile`, `dofile`, and `require`. Most functions in
> `pandoc.system`, and `pandoc.mediabag` are problematic, as are the
> functions `pandoc.utils.pipe` and `pandoc.utils.run_json_filter`, both
> of which allow to run arbitrary programs. Even seemingly innocent
> functions like `pandoc.read` and `pandoc.references` can be used to
> access the file system and could be used to exfiltrate information.
>
> But the main reason for not attempting such a thing is actually that I
> have security concerns about the basic pandoc-Lua-bridge. I'm not
> confident enough that we could reliably prevent sandbox escapes; nobody
> ever did an security audit of HsLua. I *think* there are no obvious
> exploits, but I still wouldn't want to label something as "safe" unless
> I'm 100% sure that the description is justified.
>
> TL;DR: Implementing `--lua-filter-safe` might be possible, but it would
> require a lot of work as well as expertise that's different from mine.
>
> -- 
> Albert Krewinkel
> GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124


-- 
Albert Krewinkel
GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124