lua: disable lua rules by default

To protect against possible supply chain attacks, disable Lua rules by
default. They can be enabled under the "security" section of
suricata.yaml.

Ticket: #6122

diff --git a/src/detect-lua.c b/src/detect-lua.c
index 680aee34f3bb1227f0ddf71ae1ad2ef23612e49d..18302cf7bdadd116728e8fee92538ba7d2304208 100644 (file)
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -1015,6 +1015,15 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     DetectLuaData *lua = NULL;
     SigMatch *sm = NULL;
 
+    /* First check if Lua rules are enabled, by default Lua in rules
+     * is disabled. */
+    int enabled = 0;
+    (void)ConfGetBool("security.lua.allow-rules", &enabled);
+    if (!enabled) {
+        SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules");
+        goto error;
+    }
+
     lua = DetectLuaParse(de_ctx, str);
     if (lua == NULL)
         goto error;
@@ -1169,6 +1178,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
 /** \test http buffer */
 static int LuaMatchTest01(void)
 {
+    ConfSetFinal("security.lua.allow-rules", "true");
+
     const char script[] =
         "function init (args)\n"
         "   local needs = {}\n"

diff --git a/suricata.yaml.in b/suricata.yaml.in
index f9a575d726274aafe8d547615acfde28fa95f844..2b7fd3bef497ccf9ff52dad6f43fd68879ad6ef8 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1191,6 +1191,10 @@ security:
         - /etc/
         - @e_sysconfdir@
 
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
 #sensor-name: suricata