Secure sandbox environment
To ensure safety of the underlying environment, there are functions that need to be protected or disabled.
Critical (access to file system, possibility of taking control of the machine):
- core functions:
- include_library - access to file system, can load other libraries
- include_shared - access to file system, can run some library code
- include_file - access to file system, can run script files
- include - access to file system, can load other libraries, can run script files or some library code
- import_cfunc - access to file system, can run some library code
- eval_file - access to file system, can run script files
- All functions in I/O library - access to file system
- OS library:
- os_command - can run any terminal command
Information control (access to data about the system)
- Most functions in OS library - access to environment variables, system date/time info / process locale info.
- core functions:
- printvar, printvar_ext, dumpvar, dumpvar_ext, sys_stat, toptr - access to memory layout of engine objects