[JW Lua] Security and Lua on Finale

[Robert Patterson]

Hello group.

I would like to get your input on something that I have been thinking about
lately. Right now, a hypothetical malicious script could do a lot of damage
to a user's computer. It could make fairly easy guesses about where
important files were and start deleting, for example. There are no
restrictions on os.execute or the luaosutils functions I have added. It
could download a program off the internet and then execute that.

What got me thinking about this is that LuaBridge is soon going to shut
down access to class metatables unless I add code to permit it. And that
raises the whole question of whether malicious scripts are something we
should be worried about. MacOS, at least, has quarantine built in to
prevent a downloaded program from running without the user's knowledge. And
I suppose Win10 does as well, at least if it is going to execute at admin
level.

Is this something we should be worried about? All the public scripts I am
aware of are from known and trusted sources and almost all are open source.
I am a firm believer in security that is a smart tradeoff vs. security for
the sake of security. What do others think?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jwmusic.nu/pipermail/jwlua_jwmusic.nu/attachments/20230409/42c44fd5/attachment.htm>