aboutsummaryrefslogtreecommitdiff
path: root/src/script/cpp_api
diff options
context:
space:
mode:
authorred-001 <red-001@outlook.ie>2017-06-30 19:14:39 +0100
committerLoïc Blot <nerzhul@users.noreply.github.com>2017-06-30 20:14:39 +0200
commitf3ad75691aea30d2d68aab19fbfa9031409c39d7 (patch)
treeb73109f1d3d14af91b3593dc80645a1bb70274a8 /src/script/cpp_api
parent2e53801fc0d9ba13afec6c1ddb5e3999f68b96bd (diff)
downloadminetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.tar.gz
minetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.tar.bz2
minetest-f3ad75691aea30d2d68aab19fbfa9031409c39d7.zip
Create a filesystem abstraction layer for CSM and only allow accessing files that are scanned into it. (#5965)
* Load client-side mods into memory before executing them. This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure. * Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory. * Fix the issues with backtrace * fix most of the issues * fix code style. * add a comment
Diffstat (limited to 'src/script/cpp_api')
-rw-r--r--src/script/cpp_api/s_base.cpp35
-rw-r--r--src/script/cpp_api/s_base.h13
-rw-r--r--src/script/cpp_api/s_security.cpp103
-rw-r--r--src/script/cpp_api/s_security.h8
4 files changed, 122 insertions, 37 deletions
diff --git a/src/script/cpp_api/s_base.cpp b/src/script/cpp_api/s_base.cpp
index aaf26a9c3..6bea8230b 100644
--- a/src/script/cpp_api/s_base.cpp
+++ b/src/script/cpp_api/s_base.cpp
@@ -89,8 +89,10 @@ ScriptApiBase::ScriptApiBase()
lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
// Add and save an error handler
- lua_pushcfunction(m_luastack, script_error_handler);
- lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_ERROR_HANDLER);
+ lua_getglobal(m_luastack, "debug");
+ lua_getfield(m_luastack, -1, "traceback");
+ lua_rawseti(m_luastack, LUA_REGISTRYINDEX, CUSTOM_RIDX_BACKTRACE);
+ lua_pop(m_luastack, 1); // pop debug
// If we are using LuaJIT add a C++ wrapper function to catch
// exceptions thrown in Lua -> C++ calls
@@ -158,6 +160,35 @@ void ScriptApiBase::loadScript(const std::string &script_path)
lua_pop(L, 1); // Pop error handler
}
+#ifndef SERVER
+void ScriptApiBase::loadModFromMemory(const std::string &mod_name)
+{
+ ModNameStorer mod_name_storer(getStack(), mod_name);
+
+ const std::string *init_filename = getClient()->getModFile(mod_name + ":init.lua");
+ const std::string display_filename = mod_name + ":init.lua";
+ if(init_filename == NULL)
+ throw ModError("Mod:\"" + mod_name + "\" lacks init.lua");
+
+ verbosestream << "Loading and running script " << display_filename << std::endl;
+
+ lua_State *L = getStack();
+
+ int error_handler = PUSH_ERROR_HANDLER(L);
+
+ bool ok = ScriptApiSecurity::safeLoadFile(L, init_filename->c_str(), display_filename.c_str());
+ if (ok)
+ ok = !lua_pcall(L, 0, 0, error_handler);
+ if (!ok) {
+ std::string error_msg = luaL_checkstring(L, -1);
+ lua_pop(L, 2); // Pop error message and error handler
+ throw ModError("Failed to load and run mod \"" +
+ mod_name + "\":\n" + error_msg);
+ }
+ lua_pop(L, 1); // Pop error handler
+}
+#endif
+
// Push the list of callbacks (a lua table).
// Then push nargs arguments.
// Then call this function, which
diff --git a/src/script/cpp_api/s_base.h b/src/script/cpp_api/s_base.h
index 38ee9901b..28fefdd37 100644
--- a/src/script/cpp_api/s_base.h
+++ b/src/script/cpp_api/s_base.h
@@ -54,6 +54,12 @@ extern "C" {
#define setOriginFromTable(index) \
setOriginFromTableRaw(index, __FUNCTION__)
+enum class ScriptingType: u8 {
+ Client,
+ Server,
+ MainMenu
+};
+
class Server;
#ifndef SERVER
class Client;
@@ -73,6 +79,10 @@ public:
void loadMod(const std::string &script_path, const std::string &mod_name);
void loadScript(const std::string &script_path);
+#ifndef SERVER
+ void loadModFromMemory(const std::string &mod_name);
+#endif
+
void runCallbacksRaw(int nargs,
RunCallbacksMode mode, const char *fxn);
@@ -82,6 +92,8 @@ public:
IGameDef *getGameDef() { return m_gamedef; }
Server* getServer();
+ void setType(ScriptingType type) { m_type = type; }
+ ScriptingType getType() { return m_type; }
#ifndef SERVER
Client* getClient();
#endif
@@ -133,6 +145,7 @@ private:
IGameDef *m_gamedef = nullptr;
Environment *m_environment = nullptr;
GUIEngine *m_guiengine = nullptr;
+ ScriptingType m_type;
};
#endif /* S_BASE_H_ */
diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
index 5ad7947d5..761597701 100644
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@@ -22,6 +22,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
#include "filesys.h"
#include "porting.h"
#include "server.h"
+#include "client.h"
#include "settings.h"
#include <cerrno>
@@ -140,8 +141,18 @@ void ScriptApiSecurity::initializeSecurity()
lua_State *L = getStack();
+ // Backup globals to the registry
+ lua_getglobal(L, "_G");
+ lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- int old_globals = backupGlobals(L);
+ // Replace the global environment with an empty one
+ int thread = getThread(L);
+ createEmptyEnv(L);
+ setLuaEnv(L, thread);
+
+ // Get old globals
+ lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
+ int old_globals = lua_gettop(L);
// Copy safe base functions
@@ -274,80 +285,83 @@ void ScriptApiSecurity::initializeSecurityClient()
m_secure = true;
lua_State *L = getStack();
+ int thread = getThread(L);
-
- int old_globals = backupGlobals(L);
-
+ // create an empty environment
+ createEmptyEnv(L);
// Copy safe base functions
lua_getglobal(L, "_G");
+ lua_getfield(L, -2, "_G");
copy_safe(L, whitelist, sizeof(whitelist));
// And replace unsafe ones
SECURE_API(g, dofile);
+ SECURE_API(g, load);
+ SECURE_API(g, loadfile);
SECURE_API(g, loadstring);
SECURE_API(g, require);
- lua_pop(L, 1);
+ lua_pop(L, 2);
// Copy safe OS functions
- lua_getfield(L, old_globals, "os");
+ lua_getglobal(L, "os");
lua_newtable(L);
copy_safe(L, os_whitelist, sizeof(os_whitelist));
- lua_setglobal(L, "os");
+ lua_setfield(L, -3, "os");
lua_pop(L, 1); // Pop old OS
// Copy safe debug functions
- lua_getfield(L, old_globals, "debug");
+ lua_getglobal(L, "debug");
lua_newtable(L);
copy_safe(L, debug_whitelist, sizeof(debug_whitelist));
- lua_setglobal(L, "debug");
+ lua_setfield(L, -3, "debug");
lua_pop(L, 1); // Pop old debug
#if USE_LUAJIT
// Copy safe jit functions, if they exist
- lua_getfield(L, -1, "jit");
- if (!lua_isnil(L, -1)) {
- lua_newtable(L);
- copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
- lua_setglobal(L, "jit");
- }
+ lua_getglobal(L, "jit");
+ lua_newtable(L);
+ copy_safe(L, jit_whitelist, sizeof(jit_whitelist));
+ lua_setfield(L, -3, "jit");
lua_pop(L, 1); // Pop old jit
#endif
- lua_pop(L, 1); // Pop globals_backup
+ // Set the environment to the one we created earlier
+ setLuaEnv(L, thread);
}
-int ScriptApiSecurity::backupGlobals(lua_State *L)
+int ScriptApiSecurity::getThread(lua_State *L)
{
- // Backup globals to the registry
- lua_getglobal(L, "_G");
- lua_rawseti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
-
- // Replace the global environment with an empty one
#if LUA_VERSION_NUM <= 501
int is_main = lua_pushthread(L); // Push the main thread
FATAL_ERROR_IF(!is_main, "Security: ScriptApi's Lua state "
"isn't the main Lua thread!");
+ return lua_gettop(L);
#endif
+ return 0;
+}
+
+void ScriptApiSecurity::createEmptyEnv(lua_State *L)
+{
lua_newtable(L); // Create new environment
lua_pushvalue(L, -1);
- lua_setfield(L, -2, "_G"); // Set _G of new environment
+ lua_setfield(L, -2, "_G"); // Create the _G loop
+}
+
+void ScriptApiSecurity::setLuaEnv(lua_State *L, int thread)
+{
#if LUA_VERSION_NUM >= 502 // Lua >= 5.2
// Set the global environment
lua_rawseti(L, LUA_REGISTRYINDEX, LUA_RIDX_GLOBALS);
#else // Lua <= 5.1
// Set the environment of the main thread
- FATAL_ERROR_IF(!lua_setfenv(L, -2), "Security: Unable to set "
+ FATAL_ERROR_IF(!lua_setfenv(L, thread), "Security: Unable to set "
"environment of the main Lua thread!");
lua_pop(L, 1); // Pop thread
#endif
-
- // Get old globals
- lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_GLOBALS_BACKUP);
- return lua_gettop(L);
}
bool ScriptApiSecurity::isSecure(lua_State *L)
@@ -367,11 +381,13 @@ bool ScriptApiSecurity::isSecure(lua_State *L)
}
-bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
+bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path, const char *display_name)
{
FILE *fp;
char *chunk_name;
- if (path == NULL) {
+ if (!display_name)
+ display_name = path;
+ if (!path) {
fp = stdin;
chunk_name = const_cast<char *>("=stdin");
} else {
@@ -380,10 +396,10 @@ bool ScriptApiSecurity::safeLoadFile(lua_State *L, const char *path)
lua_pushfstring(L, "%s: %s", path, strerror(errno));
return false;
}
- chunk_name = new char[strlen(path) + 2];
+ chunk_name = new char[strlen(display_name) + 2];
chunk_name[0] = '@';
chunk_name[1] = '\0';
- strcat(chunk_name, path);
+ strcat(chunk_name, display_name);
}
size_t start = 0;
@@ -626,8 +642,29 @@ int ScriptApiSecurity::sl_g_load(lua_State *L)
int ScriptApiSecurity::sl_g_loadfile(lua_State *L)
{
- const char *path = NULL;
+#ifndef SERVER
+ lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_SCRIPTAPI);
+ ScriptApiBase *script = (ScriptApiBase *) lua_touserdata(L, -1);
+ lua_pop(L, 1);
+ if (script->getType() == ScriptingType::Client) {
+ std:: string display_path = lua_tostring(L, 1);
+ const std::string *path = script->getClient()->getModFile(display_path);
+ if (!path) {
+ std::string error_msg = "Coudln't find script called:" + display_path;
+ lua_pushnil(L);
+ lua_pushstring(L, error_msg.c_str());
+ return 2;
+ }
+ if (!safeLoadFile(L, path->c_str(), display_path.c_str())) {
+ lua_pushnil(L);
+ lua_insert(L, -2);
+ return 2;
+ }
+ return 1;
+ }
+#endif
+ const char *path = NULL;
if (lua_isstring(L, 1)) {
path = lua_tostring(L, 1);
CHECK_SECURE_PATH_INTERNAL(L, path, false, NULL);
diff --git a/src/script/cpp_api/s_security.h b/src/script/cpp_api/s_security.h
index f0eef00bb..059dccef1 100644
--- a/src/script/cpp_api/s_security.h
+++ b/src/script/cpp_api/s_security.h
@@ -41,14 +41,18 @@ with this program; if not, write to the Free Software Foundation, Inc.,
class ScriptApiSecurity : virtual public ScriptApiBase
{
public:
- int backupGlobals(lua_State *L);
+ int getThread(lua_State *L);
+ // creates an empty Lua environment
+ void createEmptyEnv(lua_State *L);
+ // sets the enviroment to the table thats on top of the stack
+ void setLuaEnv(lua_State *L, int thread);
// Sets up security on the ScriptApi's Lua state
void initializeSecurity();
void initializeSecurityClient();
// Checks if the Lua state has been secured
static bool isSecure(lua_State *L);
// Loads a file as Lua code safely (doesn't allow bytecode).
- static bool safeLoadFile(lua_State *L, const char *path);
+ static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = NULL);
// Checks if mods are allowed to read (and optionally write) to the path
static bool checkPath(lua_State *L, const char *path, bool write_required,
bool *write_allowed=NULL);