security: disable lua scripting by default (#3830)

There is a weakness that can be abused by a default skipper installation
such that you can read arbitrary files as skipper process. It depends on
the custom installation and environment if this is actually exploitable
by untrusted people. Since 2022 we provide a detailed Lua [config
guide](https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources)
such that operators can choose how to use Lua even in less trusted
environments. For example you can use -lua-sources=file and only
operators that can provide a file accessible to the skipper process are
able to reference lua sources and execute provided scripts.

Thanks defang bo providing us a detailed report how to exploit this
vulnerability that is available by default in skipper versions <v0.23

Signed-off-by: Sandor Szücs <[email protected]>

Author: szuecs

VERSION

@@ -1 +1 @@
-v0.22
+v0.23

config/config.go

@@ -315,6 +315,7 @@ type Config struct {
 
 	ClusterRatelimitMaxGroupShards int `yaml:"cluster-ratelimit-max-group-shards"`
 
+	EnableLua  bool      `yaml:"enable-lua"`
 	LuaModules *listFlag `yaml:"lua-modules"`
 	LuaSources *listFlag `yaml:"lua-sources"`
 
@@ -654,6 +655,7 @@ func NewConfig() *Config {
 
 	flag.IntVar(&cfg.ClusterRatelimitMaxGroupShards, "cluster-ratelimit-max-group-shards", 1, "sets the maximum number of group shards for the clusterRatelimit filter")
 
+	flag.BoolVar(&cfg.EnableLua, "enable-lua", false, "enable the Lua scripting engine to be able to use the lua() filter")
 	flag.Var(cfg.LuaModules, "lua-modules", "comma separated list of lua filter modules. Use <module>.<symbol> to selectively enable module symbols, for example: package,base._G,base.print,json")
 	flag.Var(cfg.LuaSources, "lua-sources", `comma separated list of lua input types for the lua() filter. Valid sources "", "file", "inline", "file,inline" and "none". Use "file" to only allow lua file references in lua filter. Default "" is the same as "file","inline". Use "none" to disable lua filters.`)
 
@@ -1054,6 +1056,7 @@ func (c *Config) ToOptions() skipper.Options {
 
 		ClusterRatelimitMaxGroupShards: c.ClusterRatelimitMaxGroupShards,
 
+		EnableLua:  c.EnableLua,
 		LuaModules: c.LuaModules.values,
 		LuaSources: c.LuaSources.values,
 

config/config_test.go

@@ -169,6 +169,7 @@ func defaultConfig(with func(*Config)) *Config {
 		ClusterRatelimitMaxGroupShards:          1,
 		ValidateQuery:                           true,
 		ValidateQueryLog:                        true,
+		EnableLua:                               false,
 		LuaModules:                              commaListFlag(),
 		LuaSources:                              commaListFlag(),
 		OpenPolicyAgentCleanerInterval:          openpolicyagent.DefaultCleanIdlePeriod,

skipper.go

@@ -990,6 +990,11 @@ type Options struct {
 	// KubernetesEnableTLS enables kubernetes to use resources to terminate tls
 	KubernetesEnableTLS bool
 
+	// EnableLua allows to use lua() filters, if not enabled
+	// skipper does not support Lua, because of security
+	// considerations.
+	EnableLua bool
+
 	// LuaModules that are allowed to be used.
 	//
 	// Use <module>.<symbol> to selectively enable module symbols,
@@ -2045,15 +2050,17 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error {
 		o.CustomFilters = append(o.CustomFilters, compress)
 	}
 
-	lua, err := script.NewLuaScriptWithOptions(script.LuaOptions{
-		Modules: o.LuaModules,
-		Sources: o.LuaSources,
-	})
-	if err != nil {
-		log.Errorf("Failed to create lua filter: %v.", err)
-		return err
+	if o.EnableLua {
+		lua, err := script.NewLuaScriptWithOptions(script.LuaOptions{
+			Modules: o.LuaModules,
+			Sources: o.LuaSources,
+		})
+		if err != nil {
+			log.Errorf("Failed to create lua filter: %v.", err)
+			return err
+		}
+		o.CustomFilters = append(o.CustomFilters, lua)
 	}
-	o.CustomFilters = append(o.CustomFilters, lua)
 
 	// create routing
 	// create the proxy instance