Are cjson.safe.encode() and cjson.safe.decode() safe to expose in a Lua sandbox environment for executing arbitrary user code?

[ajayNegiCodes]

We're using cjson.safe in an OpenResty/Lua environment where we execute arbitrary user-provided Lua code in a sandboxed environment. Currently, we're only exposing cjson.array_mt to the sandbox, but we're considering whether it's safe to expose cjson.encode() and cjson.decode().

Our sandbox setup:

• Using setfenv() to restrict the execution environment to a limited set of allowed functions (string, table, math operations, etc.)
• Execution time limits to prevent infinite loops or long-running code
• Currently only exposing cjson.array_mt (not encode/decode)

Our concerns:

1. Memory exhaustion: Can malicious JSON input cause unbounded memory allocation?
2. Resource limits: Are there built-in limits on encode/decode buffer sizes?
3. Exception handling: Does cjson.safe properly handle errors without throwing exceptions that could break the sandbox?
4. Best practices: What are the recommended practices for safely exposing JSON encoding/decoding in sandboxed environments?

Questions:

• Are cjson.safe.encode() and cjson.safe.decode() designed to be safe for sandbox environments?
• Are there any known security vulnerabilities or resource exhaustion risks?
• Should we add additional size limits or validation when exposing these functions?
• Are there any configuration options we should set for sandbox safety?

Environment:

• OpenResty with LuaJIT
• Using cjson.safe module
• Lua 5.1 compatibility

[zhuizhuhaomeng]

I think it is safe enough to be used in your sandbox environment