Re: Lua filter security: safe mode?

[Albert Krewinkel <albert+pandoc-9EawChwDxG8hFhg+JK9F0w@public.gmane.org>]

Julien Dutant <julien.dutant-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:

> As discussed a while ago on
> https://github.com/pandoc/lua-filters/issues/207#issuecomment-1067959808
> and said in Pandoc's manual, running Lua filters downloaded from
> internet is a security risk as Pandoc is run with full privileges.
>
> But doesn't all the risk only comes for Lua's `os` module (and perhaps
> io?), which few filters actually use? If so, would it be possible for
> Pandoc to run Lua filters without this module, providing an alternative
> flag (something like --lua-filter-safe) to run a filter safely?

I had the intention of building a safe Lua filter system, but have given
up on that. There are just too many things that could go wrong.

For one, there are just too many potentially risky Lua functions.
Basically all functions in the `os` and `io` modules are unsafe, as are
`load`, `loadfile`, `dofile`, and `require`. Most functions in
`pandoc.system`, and `pandoc.mediabag` are problematic, as are the
functions `pandoc.utils.pipe` and `pandoc.utils.run_json_filter`, both
of which allow to run arbitrary programs. Even seemingly innocent
functions like `pandoc.read` and `pandoc.references` can be used to
access the file system and could be used to exfiltrate information.

But the main reason for not attempting such a thing is actually that I
have security concerns about the basic pandoc-Lua-bridge. I'm not
confident enough that we could reliably prevent sandbox escapes; nobody
ever did an security audit of HsLua. I *think* there are no obvious
exploits, but I still wouldn't want to label something as "safe" unless
I'm 100% sure that the description is justified.

TL;DR: Implementing `--lua-filter-safe` might be possible, but it would
require a lot of work as well as expertise that's different from mine.

-- 
Albert Krewinkel
GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124