lua: disable lua rules by default

To protect against possible supply chain attacks, disable Lua rules by
default. They can be enabled under the "security" section of
suricata.yaml.

Ticket: #6122

diff --git a/src/detect-lua.c b/src/detect-lua.c
index 4960486b17013ce3095f4acd8e60a8b619e13cf8..f7087b4580a17da630ea9a743fe0113f333d34b6 100644 (file)
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -1002,6 +1002,16 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     DetectLuaData *lua = NULL;
     SigMatch *sm = NULL;
 
+    /* First check if Lua rules are enabled, by default Lua in rules
+     * is disabled. */
+    int enabled = 0;
+    (void)ConfGetBool("security.lua.allow-rules", &enabled);
+    if (!enabled) {
+        SCLogError(SC_ERR_NO_LUA_SUPPORT,
+                "Lua rules disabled by security configuration: security.lua.allow-rules");
+        goto error;
+    }
+
     lua = DetectLuaParse(de_ctx, str);
     if (lua == NULL)
         goto error;
@@ -1156,6 +1166,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
 /** \test http buffer */
 static int LuaMatchTest01(void)
 {
+    ConfSetFinal("security.lua.allow-rules", "true");
+
     const char script[] =
         "function init (args)\n"
         "   local needs = {}\n"
@@ -2941,4 +2953,4 @@ void DetectLuaRegisterTests(void)
     UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a);
 }
 #endif
-#endif /* HAVE_LUAJIT */
\ No newline at end of file
+#endif /* HAVE_LUAJIT */

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 47889be5e494f06001ec39479b965e08ffb62dc4..8bbf1e2516871137eac49ef4451e3fca3bfef1ba 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1014,6 +1014,11 @@ asn1-max-frames: 256
 #  user: suri
 #  group: suri
 
+security:
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
 #sensor-name: suricata