lua: disable lua rules by default

To protect against possible supply chain attacks, disable Lua rules by default. They can be enabled under the "security" section of suricata.yaml. Ticket: #6122
3 years ago · b95bbcc66d
parent 342e21a5ef
commit b95bbcc66d
2 changed files with 18 additions and 1 deletions
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@ -1002,6 +1002,16 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
    DetectLuaData *lua = NULL;
    SigMatch *sm = NULL;

+    /* First check if Lua rules are enabled, by default Lua in rules
+     * is disabled. */
+    int enabled = 0;
+    (void)ConfGetBool("security.lua.allow-rules", &enabled);
+    if (!enabled) {
+        SCLogError(SC_ERR_NO_LUA_SUPPORT,
+                "Lua rules disabled by security configuration: security.lua.allow-rules");
+        goto error;
+    }
+
    lua = DetectLuaParse(de_ctx, str);
    if (lua == NULL)
        goto error;
@ -1156,6 +1166,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
 /** \test http buffer */
 static int LuaMatchTest01(void)
 {
+    ConfSetFinal("security.lua.allow-rules", "true");
+
    const char script[] =
        "function init (args)\n"
        "   local needs = {}\n"
@ -2941,4 +2953,4 @@ void DetectLuaRegisterTests(void)
    UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a);
 }
 #endif
-#endif /* HAVE_LUAJIT */
+#endif /* HAVE_LUAJIT */
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1014,6 +1014,11 @@ asn1-max-frames: 256
 #  user: suri
 #  group: suri

+security:
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
 #sensor-name: suricata