Re: [luatex] Make luatex security wrappers available
On Friday, January 24th, 2025 at 14:53, luigi scarso wrote: > > > On Fri, 24 Jan 2025 at 13:06, Lukas Heindl via luatex wrote: > > > Hi, > > > > alright, I see. > > > > There is one (not security critical) odd thing regarding these wrappers. > > Why do you check names/paths for output and input regarding kpse when > > wrapping mkdir? [1] > > Checking if it's a valid output totally makes sense, but why also check if > > it's a valid output? > > (sorry for bothering again, but since this is security related, I don't > > want to silently ignore this here) > > > > I see according to git blame this was changed ~1 year ago when adding the > > wrapper but maybe someone still knows the rational behind this. > > Also to be clear, I'm not seeking to remove the additional check in luatex, > > I just want to understand (and react based on it for the custom wrapper I'm > > writing). > > > iirc to be safe with in/out names, see kpathsea.info 5.6.4 Auxiliary tasks . > > -- > luigi Hi, I see [1] describes what these functions check. But I still don't quite get how mkdir is related to input names. Isn't mkdir exclusively about output stuff? Lukas [1]: https://tug.org/texinfohtml/kpathsea.html#Auxiliary-tasks
Re: [luatex] Make luatex security wrappers available
On Fri, 24 Jan 2025 at 13:06, Lukas Heindl via luatex wrote: > Hi, > > alright, I see. > > There is one (not security critical) odd thing regarding these wrappers. > Why do you check names/paths for output and input regarding kpse when > wrapping mkdir? [1] > Checking if it's a valid output totally makes sense, but why also check if > it's a valid output? > (sorry for bothering again, but since this is security related, I don't > want to silently ignore this here) > > I see according to git blame this was changed ~1 year ago when adding the > wrapper but maybe someone still knows the rational behind this. > Also to be clear, I'm not seeking to remove the additional check in > luatex, I just want to understand (and react based on it for the custom > wrapper I'm writing). > > iirc to be safe with in/out names, see kpathsea.info 5.6.4 Auxiliary tasks . -- luigi
Re: [luatex] Make luatex security wrappers available
Hi, alright, I see. There is one (not security critical) odd thing regarding these wrappers. Why do you check names/paths for output and input regarding kpse when wrapping mkdir? [1] Checking if it's a valid output totally makes sense, but why also check if it's a valid output? (sorry for bothering again, but since this is security related, I don't want to silently ignore this here) I see according to git blame this was changed ~1 year ago when adding the wrapper but maybe someone still knows the rational behind this. Also to be clear, I'm not seeking to remove the additional check in luatex, I just want to understand (and react based on it for the custom wrapper I'm writing). With kind regards Lukas [1]: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/fb02a155b41f461327899811835f78ba52f41c28/source/texk/web2c/luatexdir/lua/luatex-core.lua#L269 On Tuesday, January 21st, 2025 at 22:36, Hans Hagen wrote: > > > On 1/21/2025 10:03 PM, Lukas Heindl via luatex wrote: > > > Hi, > > > > sorry to bother you again. I have another request probably also into the > > direction of libraries. In order to make the script work with all engines, > > we need to execute the script (instead of loading it with require() as this > > would only work in lualatex). As a result, the script will be totally > > unrestricted and none of the security wrappers that would be in place with > > shell-restricted enabled are available. The issue is we do still want to > > make the script be secure (actually we want it to be in the list of > > commands allowed with shell-restricted in the end). > > For this we already wrap security sensitive functions like io.lines to put > > the security guards of shell-restricted back in place. But here it is easy > > to miss some checks and also it weakens security in general if we need to > > implement these security wrappers over and over again (maybe this can be > > compared to "never roll your own crypto"). Also in the future we might find > > a bug / vulnerability in the security wrapper and it would be not only > > laborious but also prone to errors (keeping attack vectors open) having to > > apply the patch to all utilities shipping their own security wrappers. > > > > So you might already guessed what I'm asking for: Can we somehow make the > > wrappers that are defined in luatex anyhow (and it wouldn't make much sense > > to implement them anywhere else) available to texlua scripts? Precisely, > > I'm speaking of the functions defined / assigned here 1. > > > > You'd probably just need to move these functions to a security/io library > > and refer to it at the place where you currently define these wrappers. Oh > > and of course the table reflecting this library probably should be > > read-only in order to avoid the user tampering (deleting or even worse > > modifying) these wrappers. But this can be done in lua e.g. like it is > > documented in PIL 2 (I know this is the old 5.0 version, but the snippet > > still works reliably). > > You could of course still make copies of the functions for the > > luatex-core.lua file, but having the library read-only probably also makes > > sense in this regard. > > > > I see you probably want to keep luatex small in order to make it easier to > > maintain and move as much as possible (like the pathutil in my previous > > request) to external lua libraries. But in this case any duplication of > > this code makes it more likely someone forgets to patch it or makes a > > mistake in implementing it correctly. > > > > If you consider implementing this and I can help somehow, just let me know. > > > > With kind regards > > Lukas > > > As Luigi already mentioned, one can do a lot in lua so that's where the > work has to be done and we have no plans for extensions like these. As > luatex is rather stable it is unlikely that something file / execute etc > related will be added or change. Messing and opening up the security > related helpers only can make things worse. > > Also keep in mind that using external libraries in itself is a security > risk. And tex users should know what they're doing / running as there > are ways tex and friends can mess up your system anyway. > > Hans > > > - > Hans Hagen | PRAGMA ADE > Ridderstraat 27 | 8061 GH Hasselt | The Netherlands > tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl > -
Re: [luatex] Make luatex security wrappers available
On 1/21/2025 10:03 PM, Lukas Heindl via luatex wrote: Hi, sorry to bother you again. I have another request probably also into the direction of libraries. In order to make the script work with all engines, we need to execute the script (instead of loading it with require() as this would only work in lualatex). As a result, the script will be totally unrestricted and none of the security wrappers that would be in place with shell-restricted enabled are available. The issue is we do still want to make the script be secure (actually we want it to be in the list of commands allowed with shell-restricted in the end). For this we already wrap security sensitive functions like io.lines to put the security guards of shell-restricted back in place. But here it is easy to miss some checks and also it weakens security in general if we need to implement these security wrappers over and over again (maybe this can be compared to "never roll your own crypto"). Also in the future we might find a bug / vulnerability in the security wrapper and it would be not only laborious but also prone to errors (keeping attack vectors open) having to apply the patch to all utilities shipping their own security wrappers. So you might already guessed what I'm asking for: Can we somehow make the wrappers that are defined in luatex anyhow (and it wouldn't make much sense to implement them anywhere else) available to texlua scripts? Precisely, I'm speaking of the functions defined / assigned here [1]. You'd probably just need to move these functions to a security/io library and refer to it at the place where you currently define these wrappers. Oh and of course the table reflecting this library probably should be read-only in order to avoid the user tampering (deleting or even worse modifying) these wrappers. But this can be done in lua e.g. like it is documented in PIL [2] (I know this is the old 5.0 version, but the snippet still works reliably). You could of course still make copies of the functions for the luatex-core.lua file, but having the library read-only probably also makes sense in this regard. I see you probably want to keep luatex small in order to make it easier to maintain and move as much as possible (like the pathutil in my previous request) to external lua libraries. But in this case any duplication of this code makes it more likely someone forgets to patch it or makes a mistake in implementing it correctly. If you consider implementing this and I can help somehow, just let me know. With kind regards Lukas [1]: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/07c0b354d913a32dd3faf79f05f0f103c55416d0/source/texk/web2c/luatexdir/lua/luatex-core.lua#L322-L341 [2]: https://www.lua.org/pil/13.4.5.html As Luigi already mentioned, one can do a lot in lua so that's where the work has to be done and we have no plans for extensions like these. As luatex is rather stable it is unlikely that something file / execute etc related will be added or change. Messing and opening up the security related helpers only can make things worse. Also keep in mind that using external libraries in itself is a security risk. And tex users should know what they're doing / running as there are ways tex and friends can mess up your system anyway. Hans - Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -
