-
Notifications
You must be signed in to change notification settings - Fork 1
/
lua_unsafe_function.yaml
29 lines (29 loc) · 1.2 KB
/
lua_unsafe_function.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rules:
- id: lua_unsafe_function
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: Unsafe function.
message: |
Detected the use of loadstring(). loadstring() can be
dangerous if used to evaluate dynamic content. If this
content can be input from outside the program, this may be
a code injection vulnerability. Ensure evaluated content is
not definable by external sources.
Lua 5.2 does not have bytecode verification anymore. So,
all functions that load code (`load` and `loadfile`) are
potentially insecure when loading untrusted binary data.
(Actually, those functions were already insecure because of
flaws in the verification algorithm.) When in doubt, use
the mode argument of those functions to restrict them to
loading textual chunks.
# https://fuzz-introspector.readthedocs.io/en/latest/user-guides/analyse-sink-function.html
languages: [lua]
severity: WARNING
pattern-either:
- pattern: dofile(...)
- pattern: io.popen(...)
- pattern: load(...)
- pattern: loadfile(...)
- pattern: loadstring(...)
- pattern: os.execute(...)
- pattern: os.remove(...)