brentp
commented
3 years ago Hi Nathan, I think this would be a security issue. You could check by trying to use lua from vcfanno to access local files or make system calls.
Closed NatPRoach closed 3 years ago
brentp
commented
3 years ago Hi Nathan, I think this would be a security issue. You could check by trying to use lua from vcfanno to access local files or make system calls.
NatPRoach
commented
3 years ago That's what I figured, I'll do that check. Thanks for the quick response!
Hi Brent, I had a question about vcfanno. I'm looking to write a wrapper for vcfanno in Galaxy (https://usegalaxy.org/) , but wanted to check that it would be safe to write a wrapper that exposes the lua functionality. Mainly, I'm wondering if there's any checks on the lua code that is being used to define new ops. If a user wanted to use the fact that the lua functions they're providing are being called, could they use that to execute arbitrary lua and mess with our filesystem / data storage or is there parsing or checks at some level to restrict the types of functions being written?
Worst case scenario is I wrap the tool without exposing the lua functionality, but I wanted to check with you in case I can expose the full functionality safely.