make :members() not return index, add -DBLLUA_ALLOWFFI, allow reading modules/lualib/, bug fixes

src/bllua4.cpp

@@ -1,4 +1,4 @@
-// BlockLua (bllua4): Simple Lua interface for TorqueScript
+// BlockLua (bllua4): Advanced Lua interface for TorqueScript
 
 // Includes
 
@@ -57,22 +57,26 @@ bool init() {
 	
 	// Set up Lua environment
 	BLL_LOAD_LUA(gL, bll_fileLuaEnv);
+	#ifdef BLLUA_ALLOWFFI
+		lua_pushboolean(gL, true);
+		lua_setglobal(gL, "_bllua_allowffi");
+	#endif
 	#ifndef BLLUA_UNSAFE
 		BLL_LOAD_LUA(gL, bll_fileLuaEnvSafe);
 	#endif
 	
-	// Expose Lua API to TS
-	BlAddFunction(NULL, NULL, "_bllua_luacall", bll_ts_luacall, "LuaCall(name, ...) - Call Lua function and return result", 2, 20);
-	BlEval(bll_fileTsEnv);
-	
-	// Load utilities
+	// Load utilities in Lua
 	BLL_LOAD_LUA(gL, bll_fileLuaStd);
 	BLL_LOAD_LUA(gL, bll_fileLuaVector);
 	BLL_LOAD_LUA(gL, bll_fileLuaMatrix);
 	BLL_LOAD_LUA(gL, bll_fileLuaLibts);
-	BlEval(bll_fileTsLibts);
 	BLL_LOAD_LUA(gL, bll_fileLuaLibbl);
 	BLL_LOAD_LUA(gL, bll_fileLuaLibblTypes);
+	
+	// Expose Lua API to TS
+	BlAddFunction(NULL, NULL, "_bllua_luacall", bll_ts_luacall, "LuaCall(name, ...) - Call Lua function and return result", 2, 20);
+	BlEval(bll_fileTsEnv);
+	BlEval(bll_fileTsLibts);
 	BlEval(bll_fileTsLibblSupport);
 	BlEval(bll_fileLoadaddons);
 	
@@ -85,8 +89,7 @@ bool init() {
 bool deinit() {
 	BlPrintf("BlockLua: Unloading");
 	
-	BlEval("deactivatePackage(_bllua_main);");
-	BlEval("$_bllua_active = 0;");
+	BlEval("$_bllua_active=0;deactivatePackage(_bllua_main);");
 	bll_LuaEval(gL, "for _,f in pairs(_bllua_on_unload) do f() end");
 	
 	lua_close(gL);

src/lua-env-safe.lua

@@ -12,6 +12,7 @@ local old_require = require
 local old_os = os
 local old_debug = debug
 local old_package = package
+local old_allowffi = _bllua_allowffi
 
 -- Remove all global variables except a whitelist
 local ok_names = tmap {
@@ -37,13 +38,10 @@ end
 
 -- Sanitize file paths to point only to allowed files within the game directory
 -- List of allowed directories for reading/writing
+-- modules/lualib is also allowed as read-only
 local allowed_dirs = tmap {
 	'add-ons', 'base', 'config', 'saves', 'screenshots', 'shaders'
 }
--- List of allowed directories for reading only
-local allowed_dirs_readonly = tmap {
-	'lualib'
-}
 -- List of disallowed file extensions - basically executable file extensions
 -- Note that even without this protection, exploiting would still require somehow
 --   getting a file within the allowed directories to autorun,
@@ -79,14 +77,15 @@ local function safe_path(fn, readonly)
 	end
 	-- allow only whitelisted dirs
 	local dir = fn:match('^([^/]+)/')
-	if (not dir) or (
-		(not allowed_dirs[dir:lower()]) and
-		((not readonly) or (not allowed_dirs_readonly[dir:lower()])) ) then
-		return nil, 'filename is in disallowed directory '..(dir or 'nil')
+	if not (dir and (
+		allowed_dirs[dir:lower()] or
+		( readonly and fn:find('^modules/lualib/') ) ))
+	then
+		return nil, 'File is in disallowed directory '..(dir or 'nil')
 	end
-	-- disallow blacklisted extensions or no extension
+	-- disallow blacklisted extensions
 	local ext = fn:match('%.([^/%.]+)$')
-	if (not ext) or (disallowed_exts[ext:lower()]) then
+	if ext and disallowed_exts[ext:lower()] then
 		return nil, 'Filename \''..fn..'\' has disallowed extension \''..
 			(ext or '')..'\''
 	end
@@ -117,6 +116,7 @@ local disallowed_packages = tmap {
 	'ffi', 'debug', 'package', 'io', 'os',
 	'_bllua_ts',
 }
+if old_allowffi then disallowed_packages['ffi'] = nil end
 function _bllua_requiresecure(name)
 	if name:find('[^a-zA-Z0-9_%-%.]') or name:find('%.%.') or
 		name:find('^%.') or name:find('%.$') then

src/lua-env.lua

@@ -37,5 +37,9 @@ function _bllua_on_error(err)
 	return table.concat(tracelines, '\n')
 end
 
+-- overridden in lua-env-safe.lua (executed if not BLLUA_UNSAFE)
+_bllua_io_open = io.open
+_bllua_requiresecure = require
+
 print = _bllua_ts.echo
 print('  Executed bllua-env.lua')

src/util/libbl.lua

@@ -107,13 +107,14 @@ end
 
 -- Type conversion from TS to Lua
 local fromTsForceTypes = {
-	['boolean'] = tsBool,
-	['object'] = function(val) toTsObject(val) end, -- wrap because toTsObject not defined yet
+	['boolean'] = function(val) return tsBool(val) end,
+	['object'] = function(val) return toTsObject(val) end, -- wrap because toTsObject not defined yet
 	['string'] = function(val) return val end,
 }
 local function forceValFromTs(val, typ)
-	return fromTsForceTypes[typ](val) or
-		error('valFromTs: invalid force type '..typ, 4)
+	local func = fromTsForceTypes[typ]
+	if not func then error('valFromTs: invalid force type \''..typ..'\'', 4) end
+	return func(val)
 end
 local function vectorFromTs(val)
 	local xS,yS,zS = val:match('^(%-?[0-9%.e]+) (%-?[0-9%.e]+) (%-?[0-9%.e]+)$')
@@ -154,7 +155,8 @@ local function multinumericFromTs(val)
 	end
 end
 bl._forceType = bl._forceType or {}
-local function valFromTs(val, name, name2) -- todo: ensure name and name2 are already lowercase
+-- todo: ensure name and name2 are already lowercase
+local function valFromTs(val, name, name2)
 	if type(val)~='string' then
 		error('valFromTs: expected string, got '..type(val), 3) end
 	if name then
@@ -362,17 +364,19 @@ local tsObjectMeta = {
 				tsIsFunctionNs(rawget(t,'_tsNamespace'), name) or
 				tsIsFunctionNs(rawget(t,'_tsName'), name)
 			then
-				return function(t, ...)
-					local args = {...}
-					local argsS = arglistToTs(args)
-					return valFromTs(
-						_bllua_ts.callobj(rawget(t,'_tsObjectId'), name, unpack(argsS)),
-						rawget(t,'_tsName') and rawget(t,'_tsName')..'::'..name,
-						rawget(t,'_tsNamespace')..'::'..name)
+				return function(t2, ...)
+					if t2==nil or type(t2)~='table' or not t2._tsObjectId then
+						error('ts object method: be sure to use :func() not .func()', 2) end
+					local argsS = arglistToTs({...})
+					local res =
+						_bllua_ts.callobj(t2._tsObjectId, name, unpack(argsS))
+					return valFromTs(res,
+						t2._tsName and t2._tsName..'::'..name,
+						t2._tsNamespace..'::'..name)
 				end
 			else
-				return valFromTs(
-					_bllua_ts.getfield(rawget(t,'_tsObjectId'), name),
+				local res = _bllua_ts.getfield(rawget(t,'_tsObjectId'), name)
+				return valFromTs(res,
 					rawget(t,'_tsName') and rawget(t,'_tsName')..'.'..name,
 					rawget(t,'_tsNamespace')..'.'..name)
 			end
@@ -437,7 +441,8 @@ local tsObjectMeta = {
 				local obj = toTsObject(_bllua_ts.callobj(t._tsObjectId,
 					'getObject', tostring(idx)))
 				idx = idx+1
-				return idx-1, obj
+				--return idx-1, obj
+				return obj
 			else
 				return nil
 			end
@@ -559,9 +564,9 @@ local function tsNamespacedCallTfname(name)
 end
 local function tsCallGen(name)
 	return function(...)
-		local args = {...}
-		local argsS = arglistToTs(args)
-		return valFromTs(_bllua_ts.call(name, unpack(argsS)), name)
+		local argsS = arglistToTs({...})
+		local res = _bllua_ts.call(name, unpack(argsS))
+		return valFromTs(res, name)
 	end
 end
 
@@ -587,14 +592,16 @@ local tsMeta = {
 				if not rest:find('::') and tsIsFunctionNs(ns, rest) then
 					return tsCallGen(tsNamespacedCallTfname(name))
 				else
-					return valFromTs(_bllua_ts.getvar(name), name)
+					local res = _bllua_ts.getvar(name)
+					return valFromTs(res, name)
 				end
 			elseif tsIsFunction(name) then
 				return tsCallGen(name)
 			elseif tsIsObject(name) then
 				return toTsObject(name)
 			else
-				return valFromTs(_bllua_ts.getvar(name), name)
+				local res = _bllua_ts.getvar(name)
+				return valFromTs(res, name)
 			end
 		end
 	end,
@@ -613,10 +620,12 @@ function bl.call(func, ...)
 	return _bllua_ts.call(func, unpack(argsS))
 end
 function bl.eval(code)
-	return valFromTs(_bllua_ts.eval(code))
+	local res = _bllua_ts.eval(code)
+	return valFromTs(res)
 end
 function bl.exec(file)
-	return valFromTs(_bllua_ts.call('exec', file))
+	local res = _bllua_ts.call('exec', file)
+	return valFromTs(res)
 end
 function bl.array(name, ...)
 	local rest = {...}
@@ -645,7 +654,6 @@ end
 -- Lua calling from TS
 local luaLookup
 luaLookup = function(tbl, name, set, val)
-	print('lookup', tbl, name, set, val)
 	if name:find('%.') then
 		local first, rest = name:match('^([^%.:]+)%.(.+)$')
 		if not isValidFuncName(first) then
@@ -661,6 +669,8 @@ luaLookup = function(tbl, name, set, val)
 			error('luacall: cannot have : or . after :', 3) end
 		if not isValidFuncName(first) then
 			error('luacall: invalid name \''..tostring(first)..'\'', 3) end
+		if not isValidFuncName(rest) then
+			error('luacall: invalid method name \''..tostring(first)..'\'', 3) end
 		if not tbl[first] then
 			error('luacall: no object named \''..rest..'\'', 3) end
 		if not tbl[first][rest] then
@@ -681,7 +691,7 @@ function _bllua_call(fname, ...)
 	local args = arglistFromTs(fname:lower(), {...}) -- todo: separate lua from ts func names?
 	local func = luaLookup(_G, fname)
 	if not func then
-		error('luacall: no global in lua named \''..name..'\'', 2) end
+		error('luacall: no global in lua named \''..fname..'\'', 2) end
 	local res = func(unpack(args))
 	return valToTs(res)
 end

src/util/libts-lua.lua

@@ -89,11 +89,12 @@ local allowed_zip_dirs = tflip{
 local function io_open_absolute(fn, mode)
 	-- if file exists, use original mode
 	local res, err = _bllua_io_open(fn, mode)
-	if res then return res end
+	if res then return res
+	elseif err and not err:find('No such file or directory$') then return nil, err end
 	
 	-- otherwise, if TS sees file but Lua doesn't, it must be in a zip, so use TS reader
 	local dir = fn:match('^[^/]+')
-	if not allowed_zip_dirs[dir:lower()] then return nil, 'File is not in one of the allowed directories' end
+	if not allowed_zip_dirs[dir:lower()] then return nil, 'Zip is not in one of the allowed directories' end
 	local exist = _bllua_ts.call('isFile', fn) == '1'
 	if not exist then return nil, err end
 	

src/util/std.lua

@@ -179,7 +179,7 @@ valueToString = function(v, tabLevel, seen)
 		return tostring(v)
 	else
 		--error('table.tostring: table contains a '..t..' value, cannot serialize')
-		return 'nil --[[ cannot serialize '..tostring(v)..' ]]'
+		return 'nil --[[ '..tostring(v)..' ]]'
 	end
 end
 function table.tostring(t)