content_by_lua_file and nginx variables

scott.alvis · 2018-05-15T08:27:52+00:00

Hello!> Agree. However, it brings up another question - when and under what conditions LuaL_unref is going to get called for coroutine? For example,...

content_by_lua_file and nginx variables

scott.alvis

Hello all,

Can someone elaborate on the potential issues/security concerns with using Nginx variables from a content_by_lua_file script file?

"Nginx variables can be used in the <path-to-lua-script-file> string to provide flexibility. This however carries some risks and is not ordinarily recommended."

# use nginx var in code path
     # CAUTION: contents in nginx var must be carefully filtered,
     # otherwise there'll be great security risk!
     location ~ ^/app/([-_a-zA-Z0-9/]+) {
         set $path $1;
         content_by_lua_file /path/to/lua/app/root/$path.lua;
     }

My specific use case would be a location match that uses regex with named capture groups and uses those in a lua script file.

location ~ "^/(?<idx>[0-9]{2})-(?<wid>[0-9]+)x(?<hei>[0-9]+)\.jpg$" {

content_by_lua_file /path/to/content.lua;

}

Is there risk in using ngx.var.idx, ngx.var.wid, etc. in content.lua? If so what should be done to mitigate the risk?

Any input would be greatly appreciated.

Thank you,

Scott