diff options
author | red-001 <red-001@outlook.ie> | 2017-06-30 19:14:39 +0100 |
---|---|---|
committer | Loïc Blot <nerzhul@users.noreply.github.com> | 2017-06-30 20:14:39 +0200 |
commit | f3ad75691aea30d2d68aab19fbfa9031409c39d7 (patch) | |
tree | b73109f1d3d14af91b3593dc80645a1bb70274a8 /src/script/cpp_api | |
parent | 2e53801fc0d9ba13afec6c1ddb5e3999f68b96bd (diff) | |
download | minetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.tar.gz minetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.tar.bz2 minetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.zip |
Create a filesystem abstraction layer for CSM and only allow accessing files that are scanned into it. (#5965)
* Load client-side mods into memory before executing them.
This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure.
* Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory.
* Fix the issues with backtrace
* fix most of the issues
* fix code style.
* add a comment
Diffstat (limited to 'src/script/cpp_api')
-rw-r--r-- | src/script/cpp_api/s_base.cpp | 35 | ||||
-rw-r--r-- | src/script/cpp_api/s_base.h | 13 | ||||
-rw-r--r-- | src/script/cpp_api/s_security.cpp | 103 | ||||
-rw-r--r-- | src/script/cpp_api/s_security.h | 8 |
4 files changed, 122 insertions, 37 deletions
diff --git a/src/script/cpp_api/s_base.cpp b/src/script/cpp_api/s_base.cpp index aaf26a9c3..6bea8230b 100644 --- a/src/script/cpp_api/s_base.cpp +++ b/src/script/cpp_api/s_base.cpp @@ -89,8 +89,10 @@ ScriptApiBase::ScriptApiBase() lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI); // Add and save an error handler - lua_pushcfunction(m_luastack, script_error_handler); - lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_ERROR_HANDLER); + lua_getglobal(m_luastack, "debug"); + lua_getfield(m_luastack, -1, "traceback"); + lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_BACKTRACE); + lua_pop(m_luastack, 1); // pop debug // If we are using LuaJIT add a C++ wrapper function to catch // exceptions thrown in Lua -> C++ calls @@ -158,6 +160,35 @@ void ScriptApiBase::loadScript(const std::string &script_path) lua_pop(L, 1); // Pop error handler } +#ifndef SERVER +void ScriptApiBase::loadModFromMemory(const std::string &mod_name) +{ + ModNameStorer mod_name_storer(getStack(), mod_name); + + const std::string *init_filename = getClient()->getModFile(mod_name + ":init.lua"); + const std::string display_filename = mod_name + ":init.lua"; + if(init_filename == NULL) + throw ModError("Mod:\"" + mod_name + "\" lacks init.lua"); + + verbosestream << "Loading and running script " << display_filename << std::endl; + + lua_State *L = getStack(); + + int error_handler = PUSH_ERROR_HANDLER(L); + + bool ok = ScriptApiSecurity::safeLoadFile(L, init_filename->c_str(), display_filename.c_str()); + if (ok) + ok = !lua_pcall(L, 0, 0, error_handler); + if (!ok) { + std::string error_msg = luaL_checkstring(L, -1); + lua_pop(L, 2); // Pop error message and error handler + throw ModError("Failed to load and run mod \"" + + mod_name + "\":\n" + error_msg); + } + lua_pop(L, 1); // Pop error handler +} +#endif + // Push the list of callbacks (a lua table). // Then push nargs arguments. // Then call this function, which diff --git a/src/script/cpp_api/s_base.h b/src/script/cpp_api/s_base.h index 38ee9901b..28fefdd37 100644 --- a/src/script/cpp_api/s_base.h +++ b/src/script/cpp_api/s_base.h @@ -54,6 +54,12 @@ extern "C" { #define setOriginFromTable(index) \ setOriginFromTableRaw(index, __FUNCTION__) +enum class ScriptingType: u8 { + Client, + Server, + MainMenu +}; + class Server; #ifndef SERVER class Client; @@ -73,6 +79,10 @@ public: void loadMod(const std::string &script_path, const std::string &mod_name); void loadScript(const std::string &script_path); +#ifndef SERVER + void loadModFromMemory(const std::string &mod_name); +#endif + void runCallbacksRaw(int nargs, RunCallbacksMode mode, const char *fxn); @@ -82,6 +92,8 @@ public: IGameDef *getGameDef() { return m_gamedef; } Server* getServer(); + void setType(ScriptingType type) { m_type = type; } + ScriptingType getType() { return m_type; } #ifndef SERVER Client* getClient(); #endif @@ -133,6 +145,7 @@ private: IGameDef *m_gamedef = nullptr; Environment *m_environment = nullptr; GUIEngine *m_guiengine = nullptr; + ScriptingType m_type; }; #endif /* S_BASE_H_ */ diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp index 5ad7947d5..761597701 100644 --- a/src/script/cpp_api/s_security.cpp +++ b/src/script/cpp_api/s_security.cpp @@ -22,6 +22,7 @@ with this program; if not, write to the Free Software Foundation, Inc., #include "filesys.h" #include "porting.h" #include "server.h" +#include "client.h" #include "settings.h" #include <cerrno> @@ -140,8 +141,18 @@ void ScriptApiSecurity::initializeSecurity() lua_State *L = getStack(); + // Backup globals to the registry + lua_getglobal(L, "_G"); + lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP); - int old_globals = backupGlobals(L); + // Replace the global environment with an empty one + int thread = getThread(L); + createEmptyEnv(L); + setLuaEnv(L, thread); + + // Get old globals + lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP); + int old_globals = lua_gettop(L); // Copy safe base functions @@ -274,80 +285,83 @@ void ScriptApiSecurity::initializeSecurityClient() m_secure = true; lua_State *L = getStack(); + int thread = getThread(L); - - int old_globals = backupGlobals(L); - + // create an empty environment + createEmptyEnv(L); // Copy safe base functions lua_getglobal(L, "_G"); + lua_getfield(L, -2, "_G"); copy_safe(L, whitelist, sizeof(whitelist)); // And replace unsafe ones SECURE_API(g, dofile); + SECURE_API(g, load); + SECURE_API(g, loadfile); SECURE_API(g, loadstring); SECURE_API(g, require); - lua_pop(L, 1); + lua_pop(L, 2); // Copy safe OS functions - lua_getfield(L, old_globals, "os"); + lua_getglobal(L, "os"); lua_newtable(L); copy_safe(L, os_whitelist, sizeof(os_whitelist)); - lua_setglobal(L, "os"); + lua_setfield(L, -3, "os"); lua_pop(L, 1); // Pop old OS // Copy safe debug functions - lua_getfield(L, old_globals, "debug"); + lua_getglobal(L, "debug"); lua_newtable(L); copy_safe(L, debug_whitelist, sizeof(debug_whitelist)); - lua_setglobal(L, "debug"); + lua_setfield(L, -3, "debug"); lua_pop(L, 1); // Pop old debug #if USE_LUAJIT // Copy safe jit functions, if they exist - lua_getfield(L, -1, "jit"); - if (!lua_isnil(L, -1)) { - lua_newtable(L); - copy_safe(L, jit_whitelist, sizeof(jit_whitelist)); - lua_setglobal(L, "jit"); - } + lua_getglobal(L, "jit"); + lua_newtable(L); + copy_safe(L, jit_whitelist, sizeof(jit_whitelist)); + lua_setfield(L, -3, "jit"); lua_pop(L, 1); // Pop old jit #endif - lua_pop(L, 1); // Pop globals_backup + // Set the environment to the one we created earlier + setLuaEnv(L, thread); } -int ScriptApiSecurity::backupGlobals(lua_State *L) +int ScriptApiSecurity::getThread(lua_State *L) { - // Backup globals to the registry - lua_getglobal(L, "_G"); - lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP); - - // Replace the global environment with an empty one #if LUA_VERSION_NUM <= 501 int is_main = lua_pushthread(L); // Push the main thread FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state " "isn't the main Lua thread!"); + return lua_gettop(L); #endif + return 0; +} + +void ScriptApiSecurity::createEmptyEnv(lua_State *L) +{ lua_newtable(L); // Create new environment lua_pushvalue(L, -1); - lua_setfield(L, -2, "_G"); // Set _G of new environment + lua_setfield(L, -2, "_G"); // Create the _G loop +} + +void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread) +{ #if LUA_VERSION_NUM >= 502 // Lua >= 5.2 // Set the global environment lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS); #else // Lua <= 5.1 // Set the environment of the main thread - FATAL_ERROR_IF(!lua_setfenv(L, -2), "Security: Unable to set " + FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set " "environment of the main Lua thread!"); lua_pop(L, 1); // Pop thread #endif - - // Get old globals - lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP); - return lua_gettop(L); } bool ScriptApiSecurity::isSecure(lua_State *L) @@ -367,11 +381,13 @@ bool ScriptApiSecurity::isSecure(lua_State *L) } -bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path) +bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name) { FILE *fp; char *chunk_name; - if (path == NULL) { + if (!display_name) + display_name = path; + if (!path) { fp = stdin; chunk_name = const_cast<char *>("=stdin"); } else { @@ -380,10 +396,10 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path) lua_pushfstring(L, "%s: %s", path, strerror(errno)); return false; } - chunk_name = new char[strlen(path) + 2]; + chunk_name = new char[strlen(display_name) + 2]; chunk_name[0] = '@'; chunk_name[1] = '\0'; - strcat(chunk_name, path); + strcat(chunk_name, display_name); } size_t start = 0; @@ -626,8 +642,29 @@ int ScriptApiSecurity::sl_g_load(lua_State *L) int ScriptApiSecurity::sl_g_loadfile(lua_State *L) { - const char *path = NULL; +#ifndef SERVER + lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI); + ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1); + lua_pop(L, 1); + if (script->getType() == ScriptingType::Client) { + std:: string display_path = lua_tostring(L, 1); + const std::string *path = script->getClient()->getModFile(display_path); + if (!path) { + std::string error_msg = "Coudln't find script called:" + display_path; + lua_pushnil(L); + lua_pushstring(L, error_msg.c_str()); + return 2; + } + if (!safeLoadFile(L, path->c_str(), display_path.c_str())) { + lua_pushnil(L); + lua_insert(L, -2); + return 2; + } + return 1; + } +#endif + const char *path = NULL; if (lua_isstring(L, 1)) { path = lua_tostring(L, 1); CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL); diff --git a/src/script/cpp_api/s_security.h b/src/script/cpp_api/s_security.h index f0eef00bb..059dccef1 100644 --- a/src/script/cpp_api/s_security.h +++ b/src/script/cpp_api/s_security.h @@ -41,14 +41,18 @@ with this program; if not, write to the Free Software Foundation, Inc., class ScriptApiSecurity : virtual public ScriptApiBase { public: - int backupGlobals(lua_State *L); + int getThread(lua_State *L); + // creates an empty Lua environment + void createEmptyEnv(lua_State *L); + // sets the enviroment to the table thats on top of the stack + void setLuaEnv(lua_State *L, int thread); // Sets up security on the ScriptApi's Lua state void initializeSecurity(); void initializeSecurityClient(); // Checks if the Lua state has been secured static bool isSecure(lua_State *L); // Loads a file as Lua code safely (doesn't allow bytecode). - static bool safeLoadFile(lua_State *L, const char *path); + static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = NULL); // Checks if mods are allowed to read (and optionally write) to the path static bool checkPath(lua_State *L, const char *path, bool write_required, bool *write_allowed=NULL); |