Auios/BlockLua
1
0
Fork 0
forked from redo/BlockLua
Code Pull Requests Activity

make :members() not return index, add -DBLLUA_ALLOWFFI, allow reading modules/lualib/, bug fixes

Browse Source
This commit is contained in:
Redo
2025-10-06 23:03:12 -05:00
parent 76c758a47b
commit 7232ede09d
8 changed files with 76 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/lua-env-safe.lua
View File

@@ -12,6 +12,7 @@ local old_require = require
local old_os = os
local old_debug = debug
local old_package = package
local old_allowffi = _bllua_allowffi
-- Remove all global variables except a whitelist
local ok_names = tmap {
@@ -37,13 +38,10 @@ end
-- Sanitize file paths to point only to allowed files within the game directory
-- List of allowed directories for reading/writing
-- modules/lualib is also allowed as read-only
local allowed_dirs = tmap {
'add-ons', 'base', 'config', 'saves', 'screenshots', 'shaders'
}
-- List of allowed directories for reading only
local allowed_dirs_readonly = tmap {
'lualib'
}
-- List of disallowed file extensions - basically executable file extensions
-- Note that even without this protection, exploiting would still require somehow
-- getting a file within the allowed directories to autorun,
@@ -79,14 +77,15 @@ local function safe_path(fn, readonly)
end
-- allow only whitelisted dirs
local dir = fn:match('^([^/]+)/')
if (not dir) or (
(not allowed_dirs[dir:lower()]) and
((not readonly) or (not allowed_dirs_readonly[dir:lower()])) ) then
return nil, 'filename is in disallowed directory '..(dir or 'nil')
if not (dir and (
allowed_dirs[dir:lower()] or
( readonly and fn:find('^modules/lualib/') ) ))
then
return nil, 'File is in disallowed directory '..(dir or 'nil')
end
-- disallow blacklisted extensions or no extension
-- disallow blacklisted extensions
local ext = fn:match('%.([^/%.]+)$')
if (not ext) or (disallowed_exts[ext:lower()]) then
if ext and disallowed_exts[ext:lower()] then
return nil, 'Filename \''..fn..'\' has disallowed extension \''..
(ext or '')..'\''
end
@@ -117,6 +116,7 @@ local disallowed_packages = tmap {
'ffi', 'debug', 'package', 'io', 'os',
'_bllua_ts',
}
if old_allowffi then disallowed_packages['ffi'] = nil end
function _bllua_requiresecure(name)
if name:find('[^a-zA-Z0-9_%-%.]') or name:find('%.%.') or
name:find('^%.') or name:find('%.$') then