Topic on Extension talk:Scribunto/Flow

SecurityAnalyst720 (talkcontribs)

Some security concerns were raised when it was proposed to install Scribunto on our wiki: "This extension suggests adding a programming language (lua) to the wiki, accessible by all users. Nothing less! Some people criticize us already for using javascript as security risk, that is a wiki native language... And how many are already using wikitext efficiently? The same thing can be done using a sampler template that could be written without this extension."

How can these concerns be addressed? Thanks.

Mdowdell (talkcontribs)

I imagine there's much more qualified people to answer this than me, but note that this isn't the whole of Lua. Some methods have been disabled due to security concerns, see Extension:Scribunto/Lua reference manual#Removed functions and packages for more details. There's also a limit to the amount of memory and parsing time Lua can use during parsing. Whilst this was likely implemented as a way of spotting which modules/templates perform very badly, it hopefully answers your second concern :)

SecurityAnalyst720 (talkcontribs)

Maybe it would also alleviate some concerns to restrict access to the Module namespace to sysops only.

Mdowdell (talkcontribs)

I don't think that's something that should be enabled by default, the normal protection feature works fine in my experience, but obviously it can be adjusted in your wiki's LocalSettings.php if that's what you decide on.

BJorsch (WMF) (talkcontribs)

Good answer, mdowdell.

To expand on that: Lua it particularly well-designed for sandboxing, and was thoroughly reviewed by Tim Starling, who is one of the WMF's top security and performance experts, as part of the process of developing Scribunto. When using the standalone interpreter, only a simple "server" runs in the full environment; most Scribunto code is loaded in a sandbox that has all "dangerous" functions removed, and user code is further loaded in another sandbox within the sandbox. When using the luasandbox PHP extension, the "dangerous" functions are not loaded into the Lua interpreter in the first place, and user code is still loaded within an inner sandbox.

With the standalone interpreter, memory and CPU time limits are enforced using Linux's ulimit mechanism, while with the luasandbox PHP extension they are built into the extension itself.

As for "The same thing can be done using a s[i]mpler template that could be written without this extension", if that's actually true for your situation then you may not actually need Scribunto. But on Wikipedia and other WMF projects, there were many templates (particularly things like "substr") that are now much faster and simpler with Scribunto, and there are other things that have been done with Scribunto that were effectively impossible before.

Reply to "Security concerns"