Create a filesystem abstraction layer for CSM and only allow accessing files that are scanned into it. (#5965)

* Load client-side mods into memory before executing them.

This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure.

* Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory.

* Fix the issues with backtrace

* fix most of the issues

* fix code style.

* add a comment

1 files changed, 70 insertions, 33 deletions

diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
index 5ad7947d5..761597701 100644
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@@ -22,6 +22,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 #include "filesys.h"
 #include "porting.h"
 #include "server.h"
+#include "client.h"
 #include "settings.h"
 
 #include <cerrno>
@@ -140,8 +141,18 @@ void ScriptApiSecurity::initializeSecurity()
 
 	lua_State *L = getStack();
 
+	// Backup globals to the registry
+	lua_getglobal(L, "_G");
+	lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
 
-	int old_globals = backupGlobals(L);
+	// Replace the global environment with an empty one
+	int thread = getThread(L);
+	createEmptyEnv(L);
+	setLuaEnv(L, thread);
+
+	// Get old globals
+	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
+	int old_globals = lua_gettop(L);
 
 
 	// Copy safe base functions
@@ -274,80 +285,83 @@ void ScriptApiSecurity::initializeSecurityClient()
 	m_secure = true;
 
 	lua_State *L = getStack();
+	int thread = getThread(L);
 
-
-	int old_globals = backupGlobals(L);
-
+	// create an empty environment
+	createEmptyEnv(L);
 
 	// Copy safe base functions
 	lua_getglobal(L, "_G");
+	lua_getfield(L, -2, "_G");
 	copy_safe(L, whitelist, sizeof(whitelist));
 
 	// And replace unsafe ones
 	SECURE_API(g, dofile);
+	SECURE_API(g, load);
+	SECURE_API(g, loadfile);
 	SECURE_API(g, loadstring);
 	SECURE_API(g, require);
-	lua_pop(L, 1);
+	lua_pop(L, 2);
 
 
 
 	// Copy safe OS functions
-	lua_getfield(L, old_globals, "os");
+	lua_getglobal(L, "os");
 	lua_newtable(L);
 	copy_safe(L, os_whitelist, sizeof(os_whitelist));
-	lua_setglobal(L, "os");
+	lua_setfield(L, -3, "os");
 	lua_pop(L, 1);  // Pop old OS
 
 
 	// Copy safe debug functions
-	lua_getfield(L, old_globals, "debug");
+	lua_getglobal(L, "debug");
 	lua_newtable(L);
 	copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
-	lua_setglobal(L, "debug");
+	lua_setfield(L, -3, "debug");
 	lua_pop(L, 1);  // Pop old debug
 
 #if USE_LUAJIT
 	// Copy safe jit functions, if they exist
-	lua_getfield(L, -1, "jit");
-	if (!lua_isnil(L, -1)) {
-		lua_newtable(L);
-		copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
-		lua_setglobal(L, "jit");
-	}
+	lua_getglobal(L, "jit");
+	lua_newtable(L);
+	copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
+	lua_setfield(L, -3, "jit");
 	lua_pop(L, 1);  // Pop old jit
 #endif
 
-	lua_pop(L, 1); // Pop globals_backup
+	// Set the environment to the one we created earlier
+	setLuaEnv(L, thread);
 }
 
-int ScriptApiSecurity::backupGlobals(lua_State *L)
+int ScriptApiSecurity::getThread(lua_State *L)
 {
-	// Backup globals to the registry
-	lua_getglobal(L, "_G");
-	lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
-
-	// Replace the global environment with an empty one
 #if LUA_VERSION_NUM <= 501
 	int is_main = lua_pushthread(L);  // Push the main thread
 	FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state "
 		"isn't the main Lua thread!");
+	return lua_gettop(L);
 #endif
+	return 0;
+}
+
+void ScriptApiSecurity::createEmptyEnv(lua_State *L)
+{
 	lua_newtable(L);  // Create new environment
 	lua_pushvalue(L, -1);
-	lua_setfield(L, -2, "_G");  // Set _G of new environment
+	lua_setfield(L, -2, "_G");  // Create the _G loop
+}
+
+void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
+{
 #if LUA_VERSION_NUM >= 502  // Lua >= 5.2
 	// Set the global environment
 	lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS);
 #else  // Lua <= 5.1
 	// Set the environment of the main thread
-	FATAL_ERROR_IF(!lua_setfenv(L, -2), "Security: Unable to set "
+	FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set "
 		"environment of the main Lua thread!");
 	lua_pop(L, 1);  // Pop thread
 #endif
-
-	// Get old globals
-	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
-	return lua_gettop(L);
 }
 
 bool ScriptApiSecurity::isSecure(lua_State *L)
@@ -367,11 +381,13 @@ bool ScriptApiSecurity::isSecure(lua_State *L)
 	}
 
 
-bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
+bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name)
 {
 	FILE *fp;
 	char *chunk_name;
-	if (path == NULL) {
+	if (!display_name)
+		display_name = path;
+	if (!path) {
 		fp = stdin;
 		chunk_name = const_cast<char *>("=stdin");
 	} else {
@@ -380,10 +396,10 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
 			lua_pushfstring(L, "%s: %s", path, strerror(errno));
 			return false;
 		}
-		chunk_name = new char[strlen(path) + 2];
+		chunk_name = new char[strlen(display_name) + 2];
 		chunk_name[0] = '@';
 		chunk_name[1] = '\0';
-		strcat(chunk_name, path);
+		strcat(chunk_name, display_name);
 	}
 
 	size_t start = 0;
@@ -626,8 +642,29 @@ int ScriptApiSecurity::sl_g_load(lua_State *L)
 
 int ScriptApiSecurity::sl_g_loadfile(lua_State *L)
 {
-	const char *path = NULL;
+#ifndef SERVER
+	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
+	ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1);
+	lua_pop(L, 1);
 
+	if (script->getType() == ScriptingType::Client) {
+		std:: string display_path = lua_tostring(L, 1);
+		const std::string *path = script->getClient()->getModFile(display_path);
+		if (!path) {
+			std::string error_msg = "Coudln't find script called:" + display_path;
+			lua_pushnil(L);
+			lua_pushstring(L, error_msg.c_str());
+			return 2;
+		}
+		if (!safeLoadFile(L, path->c_str(), display_path.c_str())) {
+			lua_pushnil(L);
+			lua_insert(L, -2);
+			return 2;
+		}
+		return 1;
+	}
+#endif
+	const char *path = NULL;
 	if (lua_isstring(L, 1)) {
 		path = lua_tostring(L, 1);
 		CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);