security: make os.getenv safe

Closes #7797 NO_DOC=security fix NO_TEST=security fix (cherry picked from commit dd7d46af)

security: make os.getenv safe
ec3eb525 · Serge Petrenko · Kirill Yukhin · 829b65f8 · ec3eb525 · ec3eb525
Commit ec3eb525 authored 2 years ago by Serge Petrenko Committed by Kirill Yukhin 2 years ago
--- a/changelogs/unreleased/gh-7797-untrusted-input-validation.md
+++ b/changelogs/unreleased/gh-7797-untrusted-input-validation.md
@@ -2,3 +2,4 @@

 * Added boundary checking for getenv() return values and started copying them
  rather than using directly (gh-7797).
+* Made `os.getenv()` always return values of sane size (gh-7797).
--- a/src/lua/utils.c
+++ b/src/lua/utils.c
@@ -735,6 +735,30 @@ luaT_newthread(struct lua_State *L)
 	return L1;
 }

+/**
+ * A safer os.getenv() variant. The difference is that it returns the value only
+ * if it has sane length (see src/lib/core/utils.c for details).
+ */
+static int
+luaT_getenv(struct lua_State *L)
+{
+	const char *name = lua_tostring(L, 1);
+	if (name == NULL)
+		return luaL_error(L, "usage: os.getenv(name)");
+	char *envvar = getenv_safe(name, NULL, 0);
+	if (envvar != NULL) {
+		lua_pushstring(L, envvar);
+		free(envvar);
+	} else {
+		/*
+		 * Original getenv pushes nil onto the stack when no value is
+		 * found.
+		 */
+		lua_pushnil(L);
+	}
+	return 1;
+}
+
 int
 tarantool_lua_utils_init(struct lua_State *L)
 {
@@ -800,6 +824,12 @@ tarantool_lua_utils_init(struct lua_State *L)
 	CTID_INTERVAL = luaL_ctypeid(L, "struct interval");
 	assert(CTID_INTERVAL != 0);

+	/* Overload os.getenv() with our safe variant. */
+	lua_getglobal(L, "os");
+	lua_pushcfunction(L, luaT_getenv);
+	lua_setfield(L, -2, "getenv");
+	lua_pop(L, 1);
+
 	lua_pushcfunction(L, luaT_newthread_wrapper);
 	luaT_newthread_ref = luaL_ref(L, LUA_REGISTRYINDEX);
 	return 0;