Hi all,
I’d like to share Clua 0.1.1 — a small library for running untrusted Lua scripts safely inside Clojure/JVM applications.
Why this exists
Many systems eventually need user-defined logic:
-
automation rules
-
plugins
-
dynamic configuration
Evaluating Clojure directly is often not an option:
-
no isolation
-
hard to restrict capabilities
-
security concerns
Clua takes a different approach: instead of trying to sandbox Clojure, it embeds a sandboxed Lua interpreter implemented in Clojure.
Safety-first design
Clua is built around the idea that scripts should be isolated by default:
-
no access to filesystem or network unless explicitly provided
-
no access to JVM internals
-
controlled globals (you expose exactly what scripts can see)
-
resource limits (execution steps, memory caps)
-
errors are returned as data — not thrown exceptions
This makes it suitable for executing untrusted user code inside backend systems.
Example
(require
'[clua.core :as lua]
'[clua.stdlib.core :as stdlib])
;; simple execution
(lua/execute "return 1 + 1")
;; => {:ok true, :result 2}
;; controlled environment
(lua/execute
(stdlib/sandbox-standard)
{:globals {:fn/greet (fn [s] (str "Hello, " s "!"))}}
"return greet('world')")
;; => {:ok true, :result "Hello, world!"}
;; errors are data
(lua/execute "return 1 + nil")
;; => {:ok false, :error "...", :line 1, :column 10}
What’s included
-
Lua 5.5 interpreter implemented in Clojure
-
sandboxed execution model (default-deny)
-
virtualized environment (no implicit side effects)
-
thread-safe execution
-
minimal dependencies (only
clj-antlr)
Install
io.github.galatyn/clua {:mvn/version "0.1.1"}
Available on Clojars.
Feedback welcome
I’d really appreciate feedback:
-
what guarantees/features would you expect for “safe scripting”?
-
any real-world use cases I should test against?
Thanks!