Usage of package "lua"

[Sateesh Reddy Gaddam]

Dear all,

As part of SW vulnerabilities test, the package "lua" in redisServer can lead to penetration in to SW which can cause SW to behave abnormal.

I would like to the points

1)Will there be any impact without the package "lua"?

2)Is there any version already available with out the package "lua"?

[Itamar Haber]

Hello Sateesh,

The Lua sandbox is an integral part of Redis. In the past, there was at least one vulnerability that was identified and fixed. Currently, there are **no** known vulnerabilities in it.

If you've identified one or more vulnerabilities, please contact the project's creator (Salvatore Sanfilippo, @antirez) and discreetly inform him your findings.

1) The Lua engine in Redis isn't a package - it is a part of Redis. You could fork Redis and remove all traces of it if that's what you want.

2) To the best of my knowledge, no, there isn't such a version.

As an alternative, you can completely disable Redis' Lua by renaming the relevant commands to the empty string. That way, no user/malicious hacker can use Lua from Redis. To do that, add the following lines to your conf file:

rename-command EVAL ""

rename-command EVALSHA ""

rename-command SCRIPT ""

Cheers,

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+unsubscribe@googlegroups.com.
To post to this group, send email to redi...@googlegroups.com.
Visit this group at https://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.

--

Itamar Haber | Technology Evangelist
Redis Labs ~/redis

Mobile: +972 (54) 567 9692
Twitter: @itamarhaber
Skype: itamar.haber

[Sateesh Reddy Gaddam]

Hi Itamar Haber,

Thank you for information 

We shall work on your inputs.

On Wednesday, 2 May 2018 20:55:21 UTC+8, Itamar Haber wrote:

Hello Sateesh,

The Lua sandbox is an integral part of Redis. In the past, there was at least one vulnerability that was identified and fixed. Currently, there are **no** known vulnerabilities in it.

If you've identified one or more vulnerabilities, please contact the project's creator (Salvatore Sanfilippo, @antirez) and discreetly inform him your findings.

1) The Lua engine in Redis isn't a package - it is a part of Redis. You could fork Redis and remove all traces of it if that's what you want.

2) To the best of my knowledge, no, there isn't such a version.

As an alternative, you can completely disable Redis' Lua by renaming the relevant commands to the empty string. That way, no user/malicious hacker can use Lua from Redis. To do that, add the following lines to your conf file:

rename-command EVAL ""

rename-command EVALSHA ""

rename-command SCRIPT ""

Cheers,

On Wed, May 2, 2018 at 12:15 PM, Sateesh Reddy Gaddam <satish...@gmail.com> wrote:

Dear all,

As part of SW vulnerabilities test, the package "lua" in redisServer can lead to penetration in to SW which can cause SW to behave abnormal.

I would like to the points

1)Will there be any impact without the package "lua"?

2)Is there any version already available with out the package "lua"?

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.

To post to this group, send email to redi...@googlegroups.com.
Visit this group at https://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.