Hacker News new | comments | show | ask | jobs | submit login

Two things: 1) I think this is really cool, especially the guarantee that your script is executed with the same atomicity as an internal command. That gives you a lot of freedom to write simple stuff in a simple way without too much worrying about concurrency (the INCREX sample on the linked page is a good example of what I mean - the data doesn't change between the "exists" and the "incr" call).

and 2) this opens a whole new playground for NoSQL injections: I don't know a lot (well. anything) about lua embedding, but I could imagine that these lua scripts somehow could get access to the file system. This means that you have to be really, really careful not to expose redis to the outside world and not to have it execute injected commands.

The fact that it allows separate arguments should make injections vulnerabilities a lot less likely to happen by accident since there shouldn't be any need to interpolate you arguments into the code string (this would also mess up the compiled function cache so you definitely want to do that anyway).

Also, LUA is a very small at core and I don't think it by default includes things like file system access. You pretty much just get what the host applications gives you, which in this case seems to be just the Redis API.

First, it's Lua. Not LUA.

Secondly, it does include filesystem access by default, and right now there is no decent protection against it. Hopefully, sandboxing will be implemented before this reaches anything related to stable.

You seem to be correct on both of those points.

Sandboxing Lua does seem quite easy though: http://stackoverflow.com/questions/1224708/how-can-i-create-...

Thanks almost, 100% agree, just you said it in a better English :)

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact