From: Jason Ish Date: Wed, 7 Jun 2023 22:35:53 +0000 (-0600) Subject: lua: disable lua rules by default X-Git-Tag: suricata-6.0.13~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b95bbcc66db526ffcc880eb439dbe8abc87a81da;p=thirdparty%2Fsuricata.git lua: disable lua rules by default To protect against possible supply chain attacks, disable Lua rules by default. They can be enabled under the "security" section of suricata.yaml. Ticket: #6122 --- diff --git a/src/detect-lua.c b/src/detect-lua.c index 4960486b17..f7087b4580 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1002,6 +1002,16 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st DetectLuaData *lua = NULL; SigMatch *sm = NULL; + /* First check if Lua rules are enabled, by default Lua in rules + * is disabled. */ + int enabled = 0; + (void)ConfGetBool("security.lua.allow-rules", &enabled); + if (!enabled) { + SCLogError(SC_ERR_NO_LUA_SUPPORT, + "Lua rules disabled by security configuration: security.lua.allow-rules"); + goto error; + } + lua = DetectLuaParse(de_ctx, str); if (lua == NULL) goto error; @@ -1156,6 +1166,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr) /** \test http buffer */ static int LuaMatchTest01(void) { + ConfSetFinal("security.lua.allow-rules", "true"); + const char script[] = "function init (args)\n" " local needs = {}\n" @@ -2941,4 +2953,4 @@ void DetectLuaRegisterTests(void) UtRegisterTest("LuaMatchTest06a", LuaMatchTest06a); } #endif -#endif /* HAVE_LUAJIT */ \ No newline at end of file +#endif /* HAVE_LUAJIT */ diff --git a/suricata.yaml.in b/suricata.yaml.in index 47889be5e4..8bbf1e2516 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1014,6 +1014,11 @@ asn1-max-frames: 256 # user: suri # group: suri +security: + lua: + # Allow Lua rules. Disabled by default. + #allow-rules: false + # Some logging modules will use that name in event as identifier. The default # value is the hostname #sensor-name: suricata