Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add Lua sandbox validation for plugins via deck plugin lint#2068

Open
thesp0nge wants to merge 6 commits into
mainfrom
feat_plugin_security_linter
Open

feat: add Lua sandbox validation for plugins via deck plugin lint#2068
thesp0nge wants to merge 6 commits into
mainfrom
feat_plugin_security_linter

Conversation

@thesp0nge

Copy link
Copy Markdown

Introduces a robust static analysis tool for Lua plugin code within decK. The linter checks for security evasion patterns and compatibility with Kong Gateway sandbox levels (OSS and Enterprise profiles).

Key features:

  • AST-based semantic analysis using gopher-lua.
  • Multi-policy support via embedded YAML Knowledge Base.
  • Support for stdin, literal code, and file input.
  • Detection of dangerous side-channel attacks (e.g., SQL-to-shell).
  • Detailed reporting with line numbers and severity levels.

@thesp0nge thesp0nge requested a review from bungle May 21, 2026 13:51
@CLAassistant

CLAassistant commented May 21, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@codecov-commenter

codecov-commenter commented May 21, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 47.50000% with 105 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.01%. Comparing base (41f6c66) to head (38908ff).

Files with missing lines Patch % Lines
cmd/plugin_lint.go 0.00% 50 Missing ⚠️
plugin/lua/validator.go 66.90% 30 Missing and 17 partials ⚠️
cmd/plugin.go 0.00% 7 Missing ⚠️
cmd/root.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2068      +/-   ##
==========================================
+ Coverage   36.73%   37.01%   +0.28%     
==========================================
  Files          78       81       +3     
  Lines        7429     7629     +200     
==========================================
+ Hits         2729     2824      +95     
- Misses       4455     4543      +88     
- Partials      245      262      +17     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread cmd/plugin_lint.go Outdated
Comment thread cmd/plugin.go
Comment thread cmd/plugin.go Outdated
Comment thread cmd/plugin_lint.go
Comment thread cmd/root.go
Comment thread pkg/lua/policies/kong_ee_3x.yaml Outdated
Comment thread plugin/lua/validator.go Outdated
@thesp0nge thesp0nge force-pushed the feat_plugin_security_linter branch from a702de8 to 3872632 Compare June 8, 2026 15:55
@thesp0nge thesp0nge force-pushed the feat_plugin_security_linter branch from 3872632 to 9f09086 Compare June 17, 2026 09:12
@thesp0nge thesp0nge requested a review from harshadixit12 June 19, 2026 14:27
@harshadixit12

Copy link
Copy Markdown
Contributor

@bungle @thesp0nge reviewed from decK perspective - LGTM, I've not deeply gone through the AST validation though.

harshadixit12
harshadixit12 previously approved these changes Jul 7, 2026
@harshadixit12

Copy link
Copy Markdown
Contributor

@thesp0nge can we please resolve the conflicts?

thesp0nge added 6 commits July 8, 2026 09:32
Introduces a robust static analysis tool for Lua plugin code within decK.
The linter checks for security evasion patterns and compatibility with
Kong Gateway sandbox levels (OSS and Enterprise profiles).

Key features:
- AST-based semantic analysis using gopher-lua.
- Multi-policy support via embedded YAML Knowledge Base.
- Support for stdin, literal code, and file input.
- Detection of dangerous side-channel attacks (e.g., SQL-to-shell).
- Detailed reporting with line numbers and severity levels.
- Fix unused-parameter in executePluginLint
- Wrap long lines in pluginLintCmd flags
- Replace blocked gopkg.in/yaml.v3 with sigs.k8s.io/yaml
- Apply proper formatting (gci, gofumpt, gofmt) across modified files
- Replace gopkg.in/yaml.v3 with sigs.k8s.io/yaml in validator.go to
align with project standards and fix CI failures.
- Remove obsolete and unused policy files in pkg/lua/policies,
keeping only the active ones in plugin/lua/policies
- Add "Reading input from stdin..." hint to plugin lint command.
- Apply proper formatting across modified files.
  - Fix the copy-pasted description for the `--sandbox` (`-s`) flag to list the actual sandbox profiles (lua, standard, strict, lax).
  - Correct the missing closing bracket in the `--edition` (`-e`) flag description.
…linting

  - Simplify plugin command description to reflect that only the lint
    subcommand is currently exposed.
@thesp0nge

Copy link
Copy Markdown
Author

@harshadixit12 solved

Comment thread cmd/plugin.go
@@ -0,0 +1,17 @@
package cmd

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc: @Prashansa-K for visibility - I figured this shouldn't be under deck file lint because the new command is intended for a specific purpose, and can't be configured by users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants