test: test lua gc of nil value with sandbox disabled

Ticket: #8248

diff --git a/tests/lua/lua-gc-nil/README.md b/tests/lua/lua-gc-nil/README.md
new file mode 100644 (file)
index 0000000..c9a3951
--- /dev/null
+++ b/tests/lua/lua-gc-nil/README.md
@@ -0,0 +1,5 @@
+Test that directly calling the metatable garbard collector doesn't crash
+Suricata. This requires disabling the sandbox, but we are still able to guard
+against it.
+
+https://redmine.openinfosecfoundation.org/issues/8248

diff --git a/tests/lua/lua-gc-nil/test.lua b/tests/lua/lua-gc-nil/test.lua
new file mode 100644 (file)
index 0000000..6eeeaa2
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.lua
@@ -0,0 +1,23 @@
+local sf = require "suricata.flow"
+
+function init(args)
+    local needs = {}
+    needs["packet"] = "true"
+    return needs
+end
+
+function match(args)
+    -- 1. Get a valid flow object
+    local f = sf.get()
+
+    if f then
+        -- 2. Access its metatable
+        local mt = getmetatable(f)
+
+        if mt and mt.__gc then
+            -- 3. Manually call __gc with nil to trigger the crash
+            mt.__gc(nil)
+        end
+    end
+    return 1
+end

diff --git a/tests/lua/lua-gc-nil/test.rules b/tests/lua/lua-gc-nil/test.rules
new file mode 100644 (file)
index 0000000..cd8f463
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Lua GC nil crash"; lua:test.lua; sid:1; rev:1;)

diff --git a/tests/lua/lua-gc-nil/test.yaml b/tests/lua/lua-gc-nil/test.yaml
new file mode 100644 (file)
index 0000000..5d9a1ee
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9.0.0
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-restricted-functions=true
+
+pcap: ../lua-bad-script/test.pcap
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1