From f119b2970130da7265eea61413633d5756e21045 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 7 Jun 2023 16:35:53 -0600
Subject: [PATCH] lua: disable lua rules by default

To protect against possible supply chain attacks, disable Lua rules by
default. They can be enabled under the "security" section of
suricata.yaml.

Ticket: #6122
---
 src/detect-lua.c | 11 +++++++++++
 suricata.yaml.in |  4 ++++
 2 files changed, 15 insertions(+)

diff --git a/src/detect-lua.c b/src/detect-lua.c
index 680aee34f3..18302cf7bd 100644
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -1015,6 +1015,15 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     DetectLuaData *lua = NULL;
     SigMatch *sm = NULL;
 
+    /* First check if Lua rules are enabled, by default Lua in rules
+     * is disabled. */
+    int enabled = 0;
+    (void)ConfGetBool("security.lua.allow-rules", &enabled);
+    if (!enabled) {
+        SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules");
+        goto error;
+    }
+
     lua = DetectLuaParse(de_ctx, str);
     if (lua == NULL)
         goto error;
@@ -1169,6 +1178,8 @@ static void DetectLuaFree(DetectEngineCtx *de_ctx, void *ptr)
 /** \test http buffer */
 static int LuaMatchTest01(void)
 {
+    ConfSetFinal("security.lua.allow-rules", "true");
+
     const char script[] =
         "function init (args)\n"
         "   local needs = {}\n"
diff --git a/suricata.yaml.in b/suricata.yaml.in
index f9a575d726..2b7fd3bef4 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1191,6 +1191,10 @@ security:
         - /etc/
         - @e_sysconfdir@
 
+  lua:
+    # Allow Lua rules. Disabled by default.
+    #allow-rules: false
+
 # Some logging modules will use that name in event as identifier. The default
 # value is the hostname
 #sensor-name: suricata
-- 
2.47.2