
Lua code: security overview and practical approaches to static analysis [pdf] - lainon
http://spw17.langsec.org/papers/costin-lua-static-analysis.pdf
======
mpeterv
> Security Analyzer ... walks the AST and performs the taint propagation and
> analysis on the AST. This way it is able to detect potential vulnerable
> blocks that allow dangerous tainted inputs from the user into the sensitive
> sinks.

This is basically the only thing about their detection method, which is pretty
disappointing, even more so comparing to exciting things like 'inter- and
intra-procedural data flow analysis' in related work section.

> Alternatively, one could use the parsers from the existing tools, such as
> LuaCheck [17] or lua-checker [19]. Unfortunately the parsers in those tools
> are tailored to particular versions of Lua specifications and adapting them
> to all or latest Lua specifications may be untrivial or may introduce bugs
> and unnecessary complexity.

Wrong, at least for Luacheck parser: it supports all Lua syntax starting from
5.1.

------
vanni
I just realized that Lua is open source but does not accept outside code
contributions. Meh.

~~~
LeifCarrotson
They have an active mailing list:
[https://www.lua.org/lua-l.html](https://www.lua.org/lua-l.html)

And they are welcoming towards patches, though they don't copy them all in
verbatim: [https://www.lua.org/faq.html#1.9](https://www.lua.org/faq.html#1.9)

> _1.9 – Do you accept patches?_

> _We encourage discussions based on tested code solutions for problems and
> enhancements, but we never incorporate third-party code verbatim. We always
> try to understand the issue and the proposed solution and then, if we choose
> to address the issue, we provide our own code. All code in Lua is written by
> us. See also the previous question [On the lack of a public, official VCS]._

Few large projects accept all outside contribution. And Lua would not be as
versatile, as portable, or as small as it is if it did.

~~~
altotrees
I was about to say, accepting all outside contributions would promote bloat
and kill portability. I don't think they are doing this in an elitist way,
just as a matter of practicality.

