From 4380423d40afa9c12e8018b7d5da4fe0f5ce5c3e Mon Sep 17 00:00:00 2001 From: antirez Date: Tue, 29 Jan 2019 10:12:22 +0100 Subject: [PATCH] ACL: enforce ACLs in Lua scripts as well. --- src/scripting.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/scripting.c b/src/scripting.c index f6df3840..cbbf43fb 100644 --- a/src/scripting.c +++ b/src/scripting.c @@ -460,6 +460,7 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) { /* Setup our fake client for command execution */ c->argv = argv; c->argc = argc; + c->user = server.lua_caller->user; /* Log the command if debugging is active. */ if (ldb.active && ldb.step) { @@ -497,6 +498,19 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) { goto cleanup; } + /* Check the ACLs. */ + int acl_retval = ACLCheckCommandPerm(c); + if (acl_retval != ACL_OK) { + if (acl_retval == ACL_DENIED_CMD) + luaPushError(lua, "The user executing the script can't run this " + "command or subcommand"); + else + luaPushError(lua, "The user executing the script can't access " + "at least one of the keys mentioned in the " + "command arguments"); + goto cleanup; + } + /* Write commands are forbidden against read-only slaves, or if a * command marked as non-deterministic was already called in the context * of this script. */ @@ -655,6 +669,8 @@ cleanup: argv_size = 0; } + c->user = NULL; + if (raise_error) { /* If we are here we should have an error in the stack, in the * form of a table with an "err" field. Extract the string to