Skip to content

Fix lua-enable-insecure-api default value cannot be changed to yes#3548

Merged
enjoy-binbin merged 2 commits into
valkey-io:unstablefrom
enjoy-binbin:allow_insecure_api
Apr 27, 2026
Merged

Fix lua-enable-insecure-api default value cannot be changed to yes#3548
enjoy-binbin merged 2 commits into
valkey-io:unstablefrom
enjoy-binbin:allow_insecure_api

Conversation

@enjoy-binbin

Copy link
Copy Markdown
Member

The default value of lua-enable-insecure-api cannot be safely changed
from no to yes due to two issues:

  1. In createEngineContext(), lua_enable_insecure_api was hardcoded to 0
    before initializing Lua states, so deprecated APIs (newproxy, setfenv,
    getfenv) were never registered in the global table regardless of the
    actual config value. Once the global table is locked, the config
    change has no effect.

  2. lua_insecure_api_current was initialized to 0 (struct zero-init) and
    never synced with the final config value. If the default was changed
    to yes(1), a subsequent CONFIG SET no would see both values as 0 and
    skip the evalReset() call in updateLuaEnableInsecureApi().

Fix by reading the real config via isLuaInsecureAPIEnabled() in
createEngineContext() before Lua state initialization, and syncing
lua_insecure_api_current after all config sources (default, config file,
command-line args) are applied.

The default value of lua-enable-insecure-api cannot be safely changed
from no to yes due to two issues:

1. In createEngineContext(), lua_enable_insecure_api was hardcoded to 0
   before initializing Lua states, so deprecated APIs (newproxy, setfenv,
   getfenv) were never registered in the global table regardless of the
   actual config value. Once the global table is locked, the config
   change has no effect.

2. lua_insecure_api_current was initialized to 0 (struct zero-init) and
   never synced with the final config value. If the default was changed
   to yes(1), a subsequent CONFIG SET no would see both values as 0 and
   skip the evalReset() call in updateLuaEnableInsecureApi().

Fix by reading the real config via isLuaInsecureAPIEnabled() in
createEngineContext() before Lua state initialization, and syncing
lua_insecure_api_current after all config sources (default, config file,
command-line args) are applied.

Signed-off-by: Binbin <binloveplay1314@qq.com>
@codecov

codecov Bot commented Apr 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.35%. Comparing base (9709843) to head (fd0f7ef).
⚠️ Report is 15 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3548      +/-   ##
============================================
- Coverage     76.46%   76.35%   -0.12%     
============================================
  Files           159      159              
  Lines         81675    80055    -1620     
============================================
- Hits          62454    61125    -1329     
+ Misses        19221    18930     -291     
Files with missing lines Coverage Δ
src/server.c 89.50% <100.00%> (+0.09%) ⬆️

... and 125 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Binbin <binloveplay1314@qq.com>

@rjd15372 rjd15372 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@enjoy-binbin enjoy-binbin moved this to To be backported in Valkey 7.2 Apr 27, 2026
@enjoy-binbin enjoy-binbin moved this to To be backported in Valkey 8.0 Apr 27, 2026
@enjoy-binbin enjoy-binbin moved this to To be backported in Valkey 8.1 Apr 27, 2026
@enjoy-binbin enjoy-binbin moved this to To be backported in Valkey 9.0 Apr 27, 2026
@enjoy-binbin enjoy-binbin moved this to To be backported in Valkey 9.1 Apr 27, 2026
@enjoy-binbin enjoy-binbin merged commit a3e44a5 into valkey-io:unstable Apr 27, 2026
58 checks passed
@enjoy-binbin enjoy-binbin deleted the allow_insecure_api branch April 27, 2026 03:04
sarthakaggarwal97 pushed a commit to sarthakaggarwal97/valkey that referenced this pull request Apr 27, 2026
…alkey-io#3548)

The default value of lua-enable-insecure-api cannot be safely changed
from no to yes due to two issues:

1. In createEngineContext(), lua_enable_insecure_api was hardcoded to 0
before initializing Lua states, so deprecated APIs (newproxy, setfenv,
   getfenv) were never registered in the global table regardless of the
   actual config value. Once the global table is locked, the config
   change has no effect.

2. lua_insecure_api_current was initialized to 0 (struct zero-init) and
   never synced with the final config value. If the default was changed
   to yes(1), a subsequent CONFIG SET no would see both values as 0 and
   skip the evalReset() call in updateLuaEnableInsecureApi().

Fix by reading the real config via isLuaInsecureAPIEnabled() in
createEngineContext() before Lua state initialization, and syncing
lua_insecure_api_current after all config sources (default, config file,
command-line args) are applied.

Signed-off-by: Binbin <binloveplay1314@qq.com>
sarthakaggarwal97 added a commit to sarthakaggarwal97/valkey that referenced this pull request Apr 27, 2026
madolson pushed a commit that referenced this pull request Apr 27, 2026
…3548)

The default value of lua-enable-insecure-api cannot be safely changed
from no to yes due to two issues:

1. In createEngineContext(), lua_enable_insecure_api was hardcoded to 0
before initializing Lua states, so deprecated APIs (newproxy, setfenv,
   getfenv) were never registered in the global table regardless of the
   actual config value. Once the global table is locked, the config
   change has no effect.

2. lua_insecure_api_current was initialized to 0 (struct zero-init) and
   never synced with the final config value. If the default was changed
   to yes(1), a subsequent CONFIG SET no would see both values as 0 and
   skip the evalReset() call in updateLuaEnableInsecureApi().

Fix by reading the real config via isLuaInsecureAPIEnabled() in
createEngineContext() before Lua state initialization, and syncing
lua_insecure_api_current after all config sources (default, config file,
command-line args) are applied.

Signed-off-by: Binbin <binloveplay1314@qq.com>
@sarthakaggarwal97 sarthakaggarwal97 added the release-notes This issue should get a line item in the release notes label Apr 28, 2026
@sarthakaggarwal97 sarthakaggarwal97 moved this from To be backported to Done in Valkey 9.1 May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release-notes This issue should get a line item in the release notes

Projects

Status: To be backported
Status: To be backported
Status: To be backported
Status: To be backported
Status: Done

Development

Successfully merging this pull request may close these issues.

4 participants