Hello all,
Can someone elaborate on the potential issues/security concerns with using Nginx variables from a content_by_lua_file script file?
"Nginx variables can be used in the <path-to-lua-script-file> string to provide flexibility. This however carries some risks and is not ordinarily recommended."
# use nginx var in code path
# CAUTION: contents in nginx var must be carefully filtered,
# otherwise there'll be great security risk!
location ~ ^/app/([-_a-zA-Z0-9/]+) {
set $path $1;
content_by_lua_file /path/to/lua/app/root/$path.lua;
}
My specific use case would be a location match that uses regex with named capture groups and uses those in a lua script file.
location ~ "^/(?<idx>[0-9]{2})-(?<wid>[0-9]+)x(?<hei>[0-9]+)\.jpg$" {
content_by_lua_file /path/to/content.lua;
}
Is there risk in using ngx.var.idx, ngx.var.wid, etc. in content.lua? If so what should be done to mitigate the risk?
Any input would be greatly appreciated.
Thank you,
Scott