Update libbl.lua

readme.md

@@ -14,10 +14,10 @@ Lua scripting for Blockland
 ### From TorqueScript
 `'print('hello world')` - Execute Lua in the console by prepending a `'` (single quote)  
 `luaeval("code");` - Execute Lua code  
-`luacall("funcName", %args...);` - Call a Lua global function  
-`luaexec("fileName");` - Execute a Lua file. Path rules are the same as executing .cs files.  
-`luaget("varName");` - Read a Lua global variable  
-`luaset("varName", %value);` - Write a Lua global variable  
+`luacall("funcName", %args...);` - Call a Lua function (supports indexing tables and object methods)  
+`luaexec("fileName");` - Execute a Lua file. Path rules are the same as when executing .cs files, relative paths are allowed.  
+`luaget("varName");` - Read a Lua global variable (supports indexing tables)  
+`luaset("varName", %value);` - Write a Lua global variable (supports indexing tables)  
 
 ### From Lua
 `bl.eval('code')` - Eval TorqueScript code  
@@ -35,7 +35,7 @@ Lua scripting for Blockland
 `object.key = value` - Associate Lua data with a Torque object  
 `object:method(args)` - Call a Torque object method  
 `object[index]` - Access a member of a Torque set or group  
-`for childIndex, child in object:members() do` - Iterate objects within of a Torque set or group. Indices start at 0 like in Torque.
+`for child in object:members() do` - Iterate objects within of a Torque set or group. Indices start at 0 like in Torque.
 `bl.isObject(object, objectID, or 'objectName')` - Check if an object exists  
 `object:exists()` - Check if an object exists  
 
@@ -48,15 +48,25 @@ Lua scripting for Blockland
 `for object in bl.boxSearch(vector{centerX,y,z}, vector{sizeX,y,z}, 'objtype'/{'objtypes',...}) do` - Find all objects in the world of the specified type(s) whose bounding box overlaps with the specified box. See the Types section for a list of valid object types.  
 `for object in bl.radiusSearch(vector{centerX,y,z}, radius, 'objtype'/{'objtypes',...}) do` - Find all objects of the specified type(s) whose bounding box overlaps with the specified sphere. See the Types section for a list of valid object types.  
 
+### List of Object Classes (for raycasts and searches)
+`'all'` - Any object  
+`'player'` - Players or bots  
+`'item'` - Items  
+`'vehicle'` - Vehicles  
+`'projectile'` - Projectiles  
+`'brick'` - Bricks with raycasting enabled  
+`'brickalways'` - All bricks including those with raycasting disabled  
+Other types: `'static'`, `'environment'`, `'terrain'`, `'water'`, `'trigger'`, `'marker'`, `'gamebase'`, `'shapebase'`, `'camera'`, `'staticshape'`, `'vehicleblocker'`, `'explosion'`, `'corpse'`, `'debris'`, `'physicalzone'`, `'staticts'`, `'staticrendered'`, `'damagableitem'`  
+
 ### Server-Client Communication
-`bl.addServerCmd('commandName', function(client, args...) yourCode end)` - Register a /command on the server  
-`bl.addClientCmd('commandName', function(args...) yourCode end)` - Register a client command on the client  
-`bl.commandToServer('commandName', args...)` - Execute a server command as a client  
-`bl.commandToClient('commandName', args...)` - As the server, execute a client command on a specific client  
+`bl.addServerCmd('commandName', function(client, args...) ... end)` - Register a /command on the server  
+`bl.addClientCmd('commandName', function(args...) ... end)` - Register a client command on the client  
+`bl.commandToServer('commandName', args...)` - As a client, execute a server command  
+`bl.commandToClient(client, 'commandName', args...)` - As the server, execute a client command on a specific client  
 `bl.commandToAll('commandName', args...)` - As the server, execute a client command on all clients  
 
 ### Packages/Hooks
-`bl.hook('packageName', 'functionName', 'before'/'after', function(args) yourCode end)` - Hook a Torque function with a Lua function.  
+`bl.hook('packageName', 'functionName', 'before'/'after', function(args) ... end)` - Hook a Torque function with a Lua function.  
 `args` is an array containing the arguments provided to the function. If the hook is `before`, these can be modified before being passed to the parent function.  
 If `args._return` is set to anything other than nil by a `before` hook, the parent function will not be called, and the function will simply return that value. Also in this case, any `after` hook will not be executed.  
 In an `after` hook, `args._return` is set to the value returned by the parent function, and can be modified.  
@@ -136,14 +146,16 @@ When reading from outside ZIPs, binary files are fully supported.
 WIP
 
 ### Extended Standard Lua Library
-`string[index]`  
-`string[{start,stop}]`  
+`str[index]`  
+`str[{start,stop}]`  
 `string.split(str, separator='' (splits into chars), noregex=false)`  
 `string.bytes(str)`  
 `string.trim(str, charsToTrim=' \t\r\n')`  
 `table.empty`  
 `table.map(func, ...)`  
+`table.mapk(func, ...)`  
 `table.map_list(func, ...)`  
+`table.mapi_list(func, ...)`  
 `table.swap(tbl)`  
 `table.reverse(list)`  
 `table.islist(list)`  
@@ -173,43 +185,35 @@ TorqueScript stores no type information; all values in TorqueScript are strings.
 ### From Lua to TorqueScript
 - `nil` becomes the empty string ""  
 - `true` and `false` become "1" and "0" respectively  
-- Torque containers become their object ID  
+- A Torque object container becomes its object ID  
 - A `vector` becomes a string containing three numbers separated by spaces  
-- A table of two vectors becomes a string containing six numbers separated by spaces  
+- A table of two `vector`s becomes a string containing six numbers separated by spaces  
+- (WIP) A `matrix` is converted into an axis-angle (a "transform"), a string containing seven numbers separated by spaces  
 - Any `string` is passed directly as a string  
 - Tables cannot be passed and will throw an error  
 
 ### From TorqueScript to Lua
-- Any numeric value becomes a Lua `number`, except as specified with `bl.type`, which may convert a value into a `boolean` or a Torque object container.  
 - The empty string "" becomes `nil`  
+- Any numeric value becomes a Lua `number`, except as specified with `bl.type`, which may convert a value into a `boolean` or a Torque object container.  
 - A string containing two or three numbers separated by single spaces becomes a `vector`  
 - A string containing six numbers separated by single spaces becomes a table of two vectors, usually defining the corners a bounding box  
-- (WIP) A string containing seven numbers separated by single spaces is treated as an axis-angle (a "transform" in TorqueScript parlance), and is converted into a `matrix` representing the translation and rotation.
+- (WIP) A string containing seven numbers separated by single spaces is treated as an axis-angle (a "transform"), and is converted into a `matrix` representing the translation and rotation  
 - Any other string is passed directly as a `string`  
   
 For scenarios where the automatic TorqueScript->Lua conversion rules are insufficient or incorrect, use `bl.type`.  
-To convert objects by hand, use `bl.object`, `bl.boolean`, or `bl.string`.
+To convert things by hand, use `bl.object`, `bl.boolean`, or `bl.string`.
 
 ## I/O and Safety
 All Lua code is sandboxed, and file access is confined to the default directories in the same way TorqueScript is.  
 BlockLua also has access to any C libraries installed in the `modules/lualib` folder, so be careful throwing things in there.  
 ### Unsafe Mode
 BlockLua can be built in Unsafe Mode by specifying the `-DBLLUA_UNSAFE` compiler flag. This removes the sandboxing of Lua code, allowing it to access any file and use any library, including ffi.  
-Please do not publish add-ons that require unsafe mode.  
-
-### List of Object Types
-`'all'` - Any object  
-`'player'` - Players or bots  
-`'item'` - Items  
-`'vehicle'` - Vehicles  
-`'projectile'` - Projectiles  
-`'brick'` - Bricks with raycasting enabled  
-`'brickalways'` - All bricks including those with raycasting disabled  
-Other types: `'static'`, `'environment'`, `'terrain'`, `'water'`, `'trigger'`, `'marker'`, `'gamebase'`, `'shapebase'`, `'camera'`, `'staticshape'`, `'vehicleblocker'`, `'explosion'`, `'corpse'`, `'debris'`, `'physicalzone'`, `'staticts'`, `'staticrendered'`, `'damagableitem'`  
+A more limited option is `-DBLLUA_ALLOWFFI`, which allows the use of the `ffi` library. This can still be exploited to grant all the same access as full unsafe mode.  
+Please do not publish add-ons that require either of these.  
 
 ## Compiling
 
 With any *32-bit* variant of GCC installed (such as MinGW or MSYS2), run the following command in the repo directory:  
-`g++ src/bllua4.cpp -o BlockLua.dll -m32 -shared -static-libgcc -Isrc -Iinc/tsfuncs -Iinc/lua -lpsapi -L. -llua5.1 src/bllua`  
+`g++ src/bllua4.cpp -o BlockLua.dll -m32 -shared -static-libgcc -Isrc -Iinc/tsfuncs -Iinc/lua -lpsapi -L. -llua5.1`  
   
 LuaJIT (lua5.1.dll) can be obtained from https://luajit.org/  

src/bllua4.cpp

@@ -1,4 +1,4 @@
-// BlockLua (bllua4): Simple Lua interface for TorqueScript
+// BlockLua (bllua4): Advanced Lua interface for TorqueScript
 
 // Includes
 
@@ -60,23 +60,27 @@ bool init() {
 
   // Set up Lua environment
   BLL_LOAD_LUA(gL, bll_fileLuaEnv);
+#ifdef BLLUA_ALLOWFFI
+  lua_pushboolean(gL, true);
+  lua_setglobal(gL, "_bllua_allowffi");
+#endif
 #ifndef BLLUA_UNSAFE
   BLL_LOAD_LUA(gL, bll_fileLuaEnvSafe);
 #endif
 
+  // Load utilities in Lua
+  BLL_LOAD_LUA(gL, bll_fileLuaStd);
+  BLL_LOAD_LUA(gL, bll_fileLuaVector);
+  BLL_LOAD_LUA(gL, bll_fileLuaMatrix);
+  BLL_LOAD_LUA(gL, bll_fileLuaLibts);
+  BLL_LOAD_LUA(gL, bll_fileLuaLibbl);
+  BLL_LOAD_LUA(gL, bll_fileLuaLibblTypes);
+
   // Expose Lua API to TS
   BlAddFunction(
       NULL, NULL, "_bllua_luacall", bll_ts_luacall, "LuaCall(name, ...) - Call Lua function and return result", 2, 20);
   BlEval(bll_fileTsEnv);
-
-  // Load utilities
-  BLL_LOAD_LUA(gL, bll_fileLuaStd);
-  BLL_LOAD_LUA(gL, bll_fileLuaVector);
-  BLL_LOAD_LUA(gL, bll_fileLuaMatrix);
-  BLL_LOAD_LUA(gL, bll_fileLuaLibts);
   BlEval(bll_fileTsLibts);
-  BLL_LOAD_LUA(gL, bll_fileLuaLibbl);
-  BLL_LOAD_LUA(gL, bll_fileLuaLibblTypes);
   BlEval(bll_fileTsLibblSupport);
   BlEval(bll_fileLoadaddons);
 
@@ -89,8 +93,7 @@ bool init() {
 bool deinit() {
   BlPrintf("BlockLua: Unloading");
 
-  BlEval("deactivatePackage(_bllua_main);");
-  BlEval("$_bllua_active = 0;");
+  BlEval("$_bllua_active=0;deactivatePackage(_bllua_main);");
   bll_LuaEval(gL, "for _,f in pairs(_bllua_on_unload) do f() end");
 
   lua_close(gL);

src/lua-env-safe.lua

@@ -14,6 +14,7 @@ local old_require = require
 local old_os = os
 local old_debug = debug
 local old_package = package
+local old_allowffi = _bllua_allowffi
 
 -- Remove all global variables except a whitelist
 local ok_names = tmap {
@@ -39,13 +40,10 @@ end
 
 -- Sanitize file paths to point only to allowed files within the game directory
 -- List of allowed directories for reading/writing
+-- modules/lualib is also allowed as read-only
 local allowed_dirs = tmap {
   'add-ons', 'base', 'config', 'saves', 'screenshots', 'shaders'
 }
--- List of allowed directories for reading only
-local allowed_dirs_readonly = tmap {
-  'lualib'
-}
 -- List of disallowed file extensions - basically executable file extensions
 -- Note that even without this protection, exploiting would still require somehow
 --   getting a file within the allowed directories to autorun,
@@ -81,14 +79,15 @@ local function safe_path(fn, readonly)
   end
   -- allow only whitelisted dirs
   local dir = fn:match('^([^/]+)/')
-  if (not dir) or (
-        (not allowed_dirs[dir:lower()]) and
-        ((not readonly) or (not allowed_dirs_readonly[dir:lower()]))) then
-    return nil, 'filename is in disallowed directory ' .. (dir or 'nil')
+  if not (dir and (
+        allowed_dirs[dir:lower()] or
+        (readonly and fn:find('^modules/lualib/'))))
+  then
+    return nil, 'File is in disallowed directory ' .. (dir or 'nil')
   end
-  -- disallow blacklisted extensions or no extension
+  -- disallow blacklisted extensions
   local ext = fn:match('%.([^/%.]+)$')
-  if (not ext) or (disallowed_exts[ext:lower()]) then
+  if ext and disallowed_exts[ext:lower()] then
     return nil, 'Filename \'' .. fn .. '\' has disallowed extension \'' ..
         (ext or '') .. '\''
   end
@@ -120,6 +119,7 @@ local disallowed_packages = tmap {
   'ffi', 'debug', 'package', 'io', 'os',
   '_bllua_ts',
 }
+if old_allowffi then disallowed_packages['ffi'] = nil end
 function _bllua_requiresecure(name)
   if name:find('[^a-zA-Z0-9_%-%.]') or name:find('%.%.') or
       name:find('^%.') or name:find('%.$') then

src/lua-env.lua

@@ -37,5 +37,9 @@ function _bllua_on_error(err)
   return table.concat(tracelines, '\n')
 end
 
+-- overridden in lua-env-safe.lua (executed if not BLLUA_UNSAFE)
+_bllua_io_open = io.open
+_bllua_requiresecure = require
+
 print = _bllua_ts.echo
 print('  Executed bllua-env.lua')

src/util/libts-lua.lua

@@ -93,11 +93,15 @@ local allowed_zip_dirs = tflip {
 local function io_open_absolute(fn, mode)
   -- if file exists, use original mode
   local res, err = _bllua_io_open(fn, mode)
-  if res then return res end
+  if res then
+    return res
+  elseif err and not err:find('No such file or directory$') then
+    return nil, err
+  end
 
   -- otherwise, if TS sees file but Lua doesn't, it must be in a zip, so use TS reader
   local dir = fn:match('^[^/]+')
-  if not allowed_zip_dirs[dir:lower()] then return nil, 'File is not in one of the allowed directories' end
+  if not allowed_zip_dirs[dir:lower()] then return nil, 'Zip is not in one of the allowed directories' end
   local exist = _bllua_ts.call('isFile', fn) == '1'
   if not exist then return nil, err end
 
@@ -142,9 +146,9 @@ end
 
 ---@diagnostic disable-next-line: duplicate-set-field
 function io.type(f)
----@diagnostic disable-next-line: undefined-field
+  ---@diagnostic disable-next-line: undefined-field
   if type(f) == 'table' and f._is_file then
----@diagnostic disable-next-line: undefined-field
+    ---@diagnostic disable-next-line: undefined-field
     return f._is_open and 'file' or 'closed file'
   else
     return _bllua_io_type(f)

src/util/std.lua

@@ -13,8 +13,19 @@ function table.map(f, ...)
   local u = {}
   for k, _ in pairs(ts[1]) do
     local args = {}
-    for j = 1, #ts do args[j] = ts[j][i] end
-    u[i] = f(unpack(args))
+    for j = 1, #ts do args[j] = ts[j][k] end
+    u[k] = f(unpack(args))
+  end
+  return u
+end
+
+function table.mapk(f, ...)
+  local ts = { ... }
+  local u = {}
+  for k, _ in pairs(ts[1]) do
+    local args = {}
+    for j = 1, #ts do args[j] = ts[j][k] end
+    u[k] = f(k, unpack(args))
   end
   return u
 end
@@ -30,6 +41,17 @@ function table.map_list(f, ...)
   return u
 end
 
+function table.mapi_list(f, ...)
+  local ts = { ... }
+  local u = {}
+  for i = 1, #ts[1] do
+    local args = {}
+    for j = 1, #ts do args[j] = ts[j][i] end
+    u[i] = f(i, unpack(args))
+  end
+  return u
+end
+
 -- Swap keys/values
 function table.swap(t)
   local u = {}
@@ -193,7 +215,7 @@ valueToString = function(v, tabLevel, seen)
     return tostring(v)
   else
     --error('table.tostring: table contains a '..t..' value, cannot serialize')
-    return 'nil --[[ cannot serialize ' .. tostring(v) .. ' ]]'
+    return 'nil --[[ ' .. tostring(v) .. ' ]]'
   end
 end
 function table.tostring(t)