aboutsummaryrefslogtreecommitdiff
path: root/builtin/common/tests
diff options
context:
space:
mode:
authorsfan5 <sfan5@live.de>2020-03-05 22:03:04 +0100
committerGitHub <noreply@github.com>2020-03-05 22:03:04 +0100
commit8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (patch)
tree70bf61852c2f7efcb5c9620af6f60a7fb077516e /builtin/common/tests
parentef09e8a4d6671f5bfac7b6234fbe52c4b836c2be (diff)
downloadminetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.gz
minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.tar.bz2
minetest-8d6a0b917ce1e7f4f1017835af0ca76e79c98c38.zip
Fix potential security issue(s), documentation on minetest.deserialize() (#9369)
Also adds an unittest
Diffstat (limited to 'builtin/common/tests')
-rw-r--r--builtin/common/tests/serialize_spec.lua18
1 files changed, 17 insertions, 1 deletions
diff --git a/builtin/common/tests/serialize_spec.lua b/builtin/common/tests/serialize_spec.lua
index 321d2766a..c41b0a372 100644
--- a/builtin/common/tests/serialize_spec.lua
+++ b/builtin/common/tests/serialize_spec.lua
@@ -1,6 +1,6 @@
_G.core = {}
-_G.setfenv = function() end
+_G.setfenv = require 'busted.compatibility'.setfenv
dofile("builtin/common/serialize.lua")
@@ -25,4 +25,20 @@ describe("serialize", function()
local test_out = core.deserialize(core.serialize(test_in))
assert.same(test_in, test_out)
end)
+
+ it("strips functions in safe mode", function()
+ local test_in = {
+ func = function(a, b)
+ error("test")
+ end,
+ foo = "bar"
+ }
+
+ local str = core.serialize(test_in)
+ assert.not_nil(str:find("loadstring"))
+
+ local test_out = core.deserialize(str, true)
+ assert.is_nil(test_out.func)
+ assert.equals(test_out.foo, "bar")
+ end)
end)