feat(request-transformer): honor untrusted_lua configuration values

CHANGELOG.md

@@ -143,6 +143,8 @@
 - **Request-Transformer**: fix an issue where requests would intermittently
   be proxied with incorrect query parameters.
   [10539](https://github.com/Kong/kong/pull/10539)
+- **Request Transformer**: honor value of untrusted_lua configuration parameter
+  [#10327](https://github.com/Kong/kong/pull/10327)
 
 ### Changed
 

kong/plugins/request-transformer/access.lua

@@ -2,6 +2,7 @@ local multipart = require "multipart"
 local cjson = require("cjson.safe").new()
 local pl_template = require "pl.template"
 local pl_tablex = require "pl.tablex"
+local sandbox = require "kong.tools.sandbox"
 
 local table_insert = table.insert
 local get_uri_args = kong.request.get_query
@@ -23,6 +24,8 @@ local pairs = pairs
 local error = error
 local rawset = rawset
 local pl_copy_table = pl_tablex.deepcopy
+local lua_enabled = sandbox.configuration.enabled
+local sandbox_enabled = sandbox.configuration.sandbox_enabled
 
 local _M = {}
 local template_cache = setmetatable( {}, { __mode = "k" })
@@ -74,6 +77,17 @@ local function param_value(source_template, config_array, template_env)
     return nil
   end
 
+  if not lua_enabled then
+    -- Detect expressions in the source template
+    local expr = str_find(source_template, "%$%(.*%)")
+    if expr then
+      return nil, "loading of untrusted Lua code disabled because " ..
+                  "'untrusted_lua' config option is set to 'off'"
+    end
+    -- Lua is disabled, no need to render the template
+    return source_template
+  end
+
   -- find compiled templates for this plugin-configuration array
   local compiled_templates = template_cache[config_array]
   if not compiled_templates then
@@ -498,7 +512,9 @@ function _M.execute(conf)
       }
       local loader = lazy_loaders[key]
       if not loader then
-        -- we don't have a loader, so just return nothing
+        if lua_enabled and not sandbox_enabled then
+          return _G[key]
+        end
         return
       end
       -- set the result on the table to not load again
@@ -511,13 +527,17 @@ function _M.execute(conf)
     end,
   }
 
-  local template_env = setmetatable({
+  local template_env = {}
+  if lua_enabled and sandbox_enabled then
+    -- load the sandbox environment to be used to render the template
+    template_env = pl_copy_table(sandbox.configuration.environment)
     -- here we can optionally add functions to expose to the sandbox, eg:
-    -- tostring = tostring,  -- for example
+    -- tostring = tostring,
     -- because headers may contain array elements such as duplicated headers
     -- type is a useful function in these cases. See issue #25.
-    type = type,
-  }, __meta_environment)
+    template_env.type = type
+  end
+  setmetatable(template_env, __meta_environment)
 
   transform_uri(conf, template_env)
   transform_method(conf)