diff options
author | meir <meir@redis.com> | 2022-02-06 14:30:15 +0200 |
---|---|---|
committer | meir <meir@redis.com> | 2022-04-27 00:20:54 +0300 |
commit | 992f9e23c7ee819ad0dfac0bd6224d8330366960 (patch) | |
tree | d5753f6f503293504dc16b7a24925a335c64566f /deps | |
parent | 8b33d813a3d47d4daeaaef03b7e42a51f6931f79 (diff) | |
download | redis-992f9e23c7ee819ad0dfac0bd6224d8330366960.tar.gz |
Move user eval function to be located on Lua registry.
Today, Redis wrap the user Lua code with a Lua function.
For example, assuming the user code is:
```
return redis.call('ping')
```
The actual code that would have sent to the Lua interpreter was:
```
f_b3a02c833904802db9c34a3cf1292eee3246df3c() return redis.call('ping') end
```
The wraped code would have been saved on the global dictionary with the
following name: `f_<script sha>` (in our example `f_b3a02c833904802db9c34a3cf1292eee3246df3c`).
This approach allows one user to easily override the implementation a another user code, example:
```
f_b3a02c833904802db9c34a3cf1292eee3246df3c = function() return 'hacked' end
```
Running the above code will cause `evalsha b3a02c833904802db9c34a3cf1292eee3246df3c 0` to return
hacked although it should have returned `pong`.
Another disadventage is that Redis basically runs code on the loading (compiling) phase without been
aware of it. User can do code injection like this:
```
return 1 end <run code on compling phase> function() return 1
```
The wraped code will look like this and the entire `<run code on compling phase>` block will run outside
of eval or evalsha context:
```
f_<sha>() return 1 end <run code on compling phase> function() return 1 end
```
Diffstat (limited to 'deps')
0 files changed, 0 insertions, 0 deletions