1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
//! Runtime creation and sandboxing.
//!
//! This module provides functions to create sandboxed Lua runtimes. The sandbox
//! restricts dangerous operations while preserving safe Lua standard library
//! functionality.
//!
//! # Security Model
//!
//! Sandboxed runtimes block:
//! - File I/O (io, file)
//! - Code loading (require, dofile, load, loadfile, package)
//! - OS commands (os.execute, os.getenv, etc.)
//! - Metatable manipulation (getmetatable, setmetatable, rawset, rawget)
//! - Coroutines
//! - Garbage collection control
//!
//! Sandboxed runtimes allow:
//! - String manipulation (string.*)
//! - Table operations (table.*)
//! - Math functions (math.*)
//! - UTF-8 support (utf8.*)
//! - Safe OS functions (os.time, os.date)
//!
//! Blocked operations fail with "attempt to call a nil value" errors.
/// Creates a sandboxed Lua runtime.
///
/// Returns a Lua VM with dangerous operations blocked. See module-level documentation
/// for details on what's allowed and blocked.
///
/// # Example
///
/// ```
/// use onetool::runtime;
///
/// # fn example() -> mlua::Result<()> {
/// let lua = runtime::default()?;
///
/// // Safe operations work
/// lua.load("x = math.sqrt(16)").exec()?;
///
/// // Dangerous operations fail
/// let result = lua.load("io.open('file.txt')").exec();
/// assert!(result.is_err());
/// # Ok(())
/// # }
/// ```