From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 23 Jan 2026 22:25:15 +0000 (-0600)
Subject: test: test lua gc of nil value with sandbox disabled
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3aaa2d6f6b60a863e2b63f0cca18a1aa18e2d1f2;p=thirdparty%2Fsuricata-verify.git

test: test lua gc of nil value with sandbox disabled

Ticket: #8248
---

diff --git a/tests/lua/lua-gc-nil/README.md b/tests/lua/lua-gc-nil/README.md
new file mode 100644
index 000000000..c9a39518b
--- /dev/null
+++ b/tests/lua/lua-gc-nil/README.md
@@ -0,0 +1,5 @@
+Test that directly calling the metatable garbard collector doesn't crash
+Suricata. This requires disabling the sandbox, but we are still able to guard
+against it.
+
+https://redmine.openinfosecfoundation.org/issues/8248
diff --git a/tests/lua/lua-gc-nil/test.lua b/tests/lua/lua-gc-nil/test.lua
new file mode 100644
index 000000000..6eeeaa28e
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.lua
@@ -0,0 +1,23 @@
+local sf = require "suricata.flow"
+
+function init(args)
+    local needs = {}
+    needs["packet"] = "true"
+    return needs
+end
+
+function match(args)
+    -- 1. Get a valid flow object
+    local f = sf.get()
+
+    if f then
+        -- 2. Access its metatable
+        local mt = getmetatable(f)
+
+        if mt and mt.__gc then
+            -- 3. Manually call __gc with nil to trigger the crash
+            mt.__gc(nil)
+        end
+    end
+    return 1
+end
diff --git a/tests/lua/lua-gc-nil/test.rules b/tests/lua/lua-gc-nil/test.rules
new file mode 100644
index 000000000..cd8f46328
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"Lua GC nil crash"; lua:test.lua; sid:1; rev:1;)
diff --git a/tests/lua/lua-gc-nil/test.yaml b/tests/lua/lua-gc-nil/test.yaml
new file mode 100644
index 000000000..5d9a1ee78
--- /dev/null
+++ b/tests/lua/lua-gc-nil/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9.0.0
+
+args:
+  - --set default-rule-path=${TEST_DIR}
+  - --set security.lua.allow-restricted-functions=true
+
+pcap: ../lua-bad-script/test.pcap
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1