Request-transformer plugin: how to use modules in lua template?

I am really new to kong, but was able to setup kong in a docker container and to use the request-transformer plugin to manipulate certain header-fields in the request-headers (following the examples in the documentation).

However, now I want to manipulate/encrypt values of a certain field in the JSON-body of my requests.

I thought, I can use the advances templates method as described here in this documentation:

… but it fails when I try to use include additional LUA modules adding lines like this:
local lunajson = require("lunajson")

(I installed lunajson via luarocks in my kong container beforehand).

Can you give me a hint, how to manipulate values in a JSON body of a request using external modules?

Kind regards

A.

1 Like

Hi there - instead of using the custom_fields_by_lua in the request transformer, you will need to use a custom plugin to include a third party library.

The plugins that allow for arbitrary lua (including request-transformer) do not allow for third party libraries to be imported (even ones that ship with kong natively). the reason for this is that they are sandboxed, and don’t have access to the global cache. This is to prevent something nefarious being added to a plugin (retrieving and postgres password/etc) with no other security checks. A custom plugin requires that you have access to the DP machine to upload the code, which is more secure.

I hope this is useful and sorry for any confusion. You can see how to get started with custom plugins here: Implementing Custom Logic - Kong Gateway | Kong Docs

1 Like

Thanks for your reply, Tom - I highly appreciated it.
I solved the problem in between by just doing

echo “untrusted_lua = on” >> /etc/kong/kong.conf.default

As far as I understood from your response:
as long as the request transformer itself is not malicious, this can not harm anything, right?
(assuming our own code/template in request transformer is secure)

Sorry for asking silly questions - I am far away from understanding how this big Kong software package with all its capabilities works.

Kind regards

A.

Great you found a solution - the unstrusted_lua flag will allow the arbitrary code to be executed (default is off I believe). For large organizations, where permissions/different teams manage different parts of the deployment, sometimes untrusted_lua is a concern. If that isn’t the case for you - then it should be fine :slight_smile:

The untrusted_lua code is actually sandboxed as well, so it can’t reach over into the standard Kong cache and grab things it shoudn’t be grabbing! Cheers.

The untrusted_lua code is actually sandboxed as well, so it can’t reach over into
the standard Kong cache and grab things it shoudn’t be grabbing! Cheers.

Sounds perfect for us.
Thank you for your help!!

Kind regards

A.