From f3ad75691aea30d2d68aab19fbfa9031409c39d7 Mon Sep 17 00:00:00 2001
From: red-001 <red-001@outlook.ie>
Date: Fri, 30 Jun 2017 19:14:39 +0100
Subject: Create a filesystem abstraction layer for CSM and only allow
 accessing files that are scanned into it. (#5965)

* Load client-side mods into memory before executing them.

This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure.

* Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory.

* Fix the issues with backtrace

* fix most of the issues

* fix code style.

* add a comment
---
 src/script/cpp_api/s_base.cpp     |  35 ++++++++++++-
 src/script/cpp_api/s_base.h       |  13 +++++
 src/script/cpp_api/s_security.cpp | 103 ++++++++++++++++++++++++++------------
 src/script/cpp_api/s_security.h   |   8 ++-
 4 files changed, 122 insertions(+), 37 deletions(-)

(limited to 'src/script/cpp_api')

diff --git a/src/script/cpp_api/s_base.cpp b/src/script/cpp_api/s_base.cpp
index aaf26a9c3..6bea8230b 100644
--- a/src/script/cpp_api/s_base.cpp
+++ b/src/script/cpp_api/s_base.cpp
@@ -89,8 +89,10 @@ ScriptApiBase::ScriptApiBase()
 	lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
 
 	// Add and save an error handler
-	lua_pushcfunction(m_luastack, script_error_handler);
-	lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_ERROR_HANDLER);
+	lua_getglobal(m_luastack, "debug");
+	lua_getfield(m_luastack, -1, "traceback");
+	lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_BACKTRACE);
+	lua_pop(m_luastack, 1); // pop debug
 
 	// If we are using LuaJIT add a C++ wrapper function to catch
 	// exceptions thrown in Lua -> C++ calls
@@ -158,6 +160,35 @@ void ScriptApiBase::loadScript(const std::string &script_path)
 	lua_pop(L, 1); // Pop error handler
 }
 
+#ifndef SERVER
+void ScriptApiBase::loadModFromMemory(const std::string &mod_name)
+{
+	ModNameStorer mod_name_storer(getStack(), mod_name);
+
+	const std::string *init_filename = getClient()->getModFile(mod_name + ":init.lua");
+	const std::string display_filename = mod_name + ":init.lua";
+	if(init_filename == NULL)
+		throw ModError("Mod:\"" + mod_name + "\" lacks init.lua");
+
+	verbosestream << "Loading and running script " << display_filename << std::endl;
+
+	lua_State *L = getStack();
+
+	int error_handler = PUSH_ERROR_HANDLER(L);
+
+	bool ok = ScriptApiSecurity::safeLoadFile(L, init_filename->c_str(), display_filename.c_str());
+	if (ok)
+		ok = !lua_pcall(L, 0, 0, error_handler);
+	if (!ok) {
+		std::string error_msg = luaL_checkstring(L, -1);
+		lua_pop(L, 2); // Pop error message and error handler
+		throw ModError("Failed to load and run mod \"" +
+				mod_name + "\":\n" + error_msg);
+	}
+	lua_pop(L, 1); // Pop error handler
+}
+#endif
+
 // Push the list of callbacks (a lua table).
 // Then push nargs arguments.
 // Then call this function, which
diff --git a/src/script/cpp_api/s_base.h b/src/script/cpp_api/s_base.h
index 38ee9901b..28fefdd37 100644
--- a/src/script/cpp_api/s_base.h
+++ b/src/script/cpp_api/s_base.h
@@ -54,6 +54,12 @@ extern "C" {
 #define setOriginFromTable(index) \
 	setOriginFromTableRaw(index, __FUNCTION__)
 
+enum class ScriptingType: u8 {
+	Client,
+	Server,
+	MainMenu
+};
+
 class Server;
 #ifndef SERVER
 class Client;
@@ -73,6 +79,10 @@ public:
 	void loadMod(const std::string &script_path, const std::string &mod_name);
 	void loadScript(const std::string &script_path);
 
+#ifndef SERVER
+	void loadModFromMemory(const std::string &mod_name);
+#endif
+
 	void runCallbacksRaw(int nargs,
 		RunCallbacksMode mode, const char *fxn);
 
@@ -82,6 +92,8 @@ public:
 
 	IGameDef *getGameDef() { return m_gamedef; }
 	Server* getServer();
+	void setType(ScriptingType type) { m_type = type; }
+	ScriptingType getType() { return m_type; }
 #ifndef SERVER
 	Client* getClient();
 #endif
@@ -133,6 +145,7 @@ private:
 	IGameDef       *m_gamedef = nullptr;
 	Environment    *m_environment = nullptr;
 	GUIEngine      *m_guiengine = nullptr;
+	ScriptingType  m_type;
 };
 
 #endif /* S_BASE_H_ */
diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
index 5ad7947d5..761597701 100644
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@@ -22,6 +22,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 #include "filesys.h"
 #include "porting.h"
 #include "server.h"
+#include "client.h"
 #include "settings.h"
 
 #include <cerrno>
@@ -140,8 +141,18 @@ void ScriptApiSecurity::initializeSecurity()
 
 	lua_State *L = getStack();
 
+	// Backup globals to the registry
+	lua_getglobal(L, "_G");
+	lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
 
-	int old_globals = backupGlobals(L);
+	// Replace the global environment with an empty one
+	int thread = getThread(L);
+	createEmptyEnv(L);
+	setLuaEnv(L, thread);
+
+	// Get old globals
+	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
+	int old_globals = lua_gettop(L);
 
 
 	// Copy safe base functions
@@ -274,80 +285,83 @@ void ScriptApiSecurity::initializeSecurityClient()
 	m_secure = true;
 
 	lua_State *L = getStack();
+	int thread = getThread(L);
 
-
-	int old_globals = backupGlobals(L);
-
+	// create an empty environment
+	createEmptyEnv(L);
 
 	// Copy safe base functions
 	lua_getglobal(L, "_G");
+	lua_getfield(L, -2, "_G");
 	copy_safe(L, whitelist, sizeof(whitelist));
 
 	// And replace unsafe ones
 	SECURE_API(g, dofile);
+	SECURE_API(g, load);
+	SECURE_API(g, loadfile);
 	SECURE_API(g, loadstring);
 	SECURE_API(g, require);
-	lua_pop(L, 1);
+	lua_pop(L, 2);
 
 
 
 	// Copy safe OS functions
-	lua_getfield(L, old_globals, "os");
+	lua_getglobal(L, "os");
 	lua_newtable(L);
 	copy_safe(L, os_whitelist, sizeof(os_whitelist));
-	lua_setglobal(L, "os");
+	lua_setfield(L, -3, "os");
 	lua_pop(L, 1);  // Pop old OS
 
 
 	// Copy safe debug functions
-	lua_getfield(L, old_globals, "debug");
+	lua_getglobal(L, "debug");
 	lua_newtable(L);
 	copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
-	lua_setglobal(L, "debug");
+	lua_setfield(L, -3, "debug");
 	lua_pop(L, 1);  // Pop old debug
 
 #if USE_LUAJIT
 	// Copy safe jit functions, if they exist
-	lua_getfield(L, -1, "jit");
-	if (!lua_isnil(L, -1)) {
-		lua_newtable(L);
-		copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
-		lua_setglobal(L, "jit");
-	}
+	lua_getglobal(L, "jit");
+	lua_newtable(L);
+	copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
+	lua_setfield(L, -3, "jit");
 	lua_pop(L, 1);  // Pop old jit
 #endif
 
-	lua_pop(L, 1); // Pop globals_backup
+	// Set the environment to the one we created earlier
+	setLuaEnv(L, thread);
 }
 
-int ScriptApiSecurity::backupGlobals(lua_State *L)
+int ScriptApiSecurity::getThread(lua_State *L)
 {
-	// Backup globals to the registry
-	lua_getglobal(L, "_G");
-	lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
-
-	// Replace the global environment with an empty one
 #if LUA_VERSION_NUM <= 501
 	int is_main = lua_pushthread(L);  // Push the main thread
 	FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state "
 		"isn't the main Lua thread!");
+	return lua_gettop(L);
 #endif
+	return 0;
+}
+
+void ScriptApiSecurity::createEmptyEnv(lua_State *L)
+{
 	lua_newtable(L);  // Create new environment
 	lua_pushvalue(L, -1);
-	lua_setfield(L, -2, "_G");  // Set _G of new environment
+	lua_setfield(L, -2, "_G");  // Create the _G loop
+}
+
+void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
+{
 #if LUA_VERSION_NUM >= 502  // Lua >= 5.2
 	// Set the global environment
 	lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS);
 #else  // Lua <= 5.1
 	// Set the environment of the main thread
-	FATAL_ERROR_IF(!lua_setfenv(L, -2), "Security: Unable to set "
+	FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set "
 		"environment of the main Lua thread!");
 	lua_pop(L, 1);  // Pop thread
 #endif
-
-	// Get old globals
-	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
-	return lua_gettop(L);
 }
 
 bool ScriptApiSecurity::isSecure(lua_State *L)
@@ -367,11 +381,13 @@ bool ScriptApiSecurity::isSecure(lua_State *L)
 	}
 
 
-bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
+bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name)
 {
 	FILE *fp;
 	char *chunk_name;
-	if (path == NULL) {
+	if (!display_name)
+		display_name = path;
+	if (!path) {
 		fp = stdin;
 		chunk_name = const_cast<char *>("=stdin");
 	} else {
@@ -380,10 +396,10 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
 			lua_pushfstring(L, "%s: %s", path, strerror(errno));
 			return false;
 		}
-		chunk_name = new char[strlen(path) + 2];
+		chunk_name = new char[strlen(display_name) + 2];
 		chunk_name[0] = '@';
 		chunk_name[1] = '\0';
-		strcat(chunk_name, path);
+		strcat(chunk_name, display_name);
 	}
 
 	size_t start = 0;
@@ -626,8 +642,29 @@ int ScriptApiSecurity::sl_g_load(lua_State *L)
 
 int ScriptApiSecurity::sl_g_loadfile(lua_State *L)
 {
-	const char *path = NULL;
+#ifndef SERVER
+	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
+	ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1);
+	lua_pop(L, 1);
 
+	if (script->getType() == ScriptingType::Client) {
+		std:: string display_path = lua_tostring(L, 1);
+		const std::string *path = script->getClient()->getModFile(display_path);
+		if (!path) {
+			std::string error_msg = "Coudln't find script called:" + display_path;
+			lua_pushnil(L);
+			lua_pushstring(L, error_msg.c_str());
+			return 2;
+		}
+		if (!safeLoadFile(L, path->c_str(), display_path.c_str())) {
+			lua_pushnil(L);
+			lua_insert(L, -2);
+			return 2;
+		}
+		return 1;
+	}
+#endif
+	const char *path = NULL;
 	if (lua_isstring(L, 1)) {
 		path = lua_tostring(L, 1);
 		CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
diff --git a/src/script/cpp_api/s_security.h b/src/script/cpp_api/s_security.h
index f0eef00bb..059dccef1 100644
--- a/src/script/cpp_api/s_security.h
+++ b/src/script/cpp_api/s_security.h
@@ -41,14 +41,18 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 class ScriptApiSecurity : virtual public ScriptApiBase
 {
 public:
-	int backupGlobals(lua_State *L);
+	int getThread(lua_State *L);
+	// creates an empty Lua environment
+	void createEmptyEnv(lua_State *L);
+	// sets the enviroment to the table thats on top of the stack
+	void setLuaEnv(lua_State *L, int thread);
 	// Sets up security on the ScriptApi's Lua state
 	void initializeSecurity();
 	void initializeSecurityClient();
 	// Checks if the Lua state has been secured
 	static bool isSecure(lua_State *L);
 	// Loads a file as Lua code safely (doesn't allow bytecode).
-	static bool safeLoadFile(lua_State *L, const char *path);
+	static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = NULL);
 	// Checks if mods are allowed to read (and optionally write) to the path
 	static bool checkPath(lua_State *L, const char *path, bool write_required,
 			bool *write_allowed=NULL);
-- 
cgit v1.2.3