Jump to content

Lua Sandboxing


RomSteady
 Share

Recommended Posts

(Running Leadwerks Indie for Steam)

 

I'm currently working on a settings module, and I'm running into a little bit of a problem.

 

I'm keeping all user-definable settings in a single Lua table. I've got serialization code to quickly save out that single table to disk functioning just fine. The problem comes on load.

 

I want to load the Settings object in a separate environment, and then iterate through and only pull over values that I recognize as safe, so no executable code, etc. in the settings file.

 

However, there are some problems, specifically that setfenv() and getfenv() are causing the process to end.

 

To demonstrate, I've got the following code:

 

function Settings:ShowFailure()
System:Print("Got here just fine...")
System:Print("getfenv is: " .. type(getfenv))
local myEnvironment = getfenv()
System:Print("Will never get here.")
end

 

If you call this code on launch, you'll get the following output:

 

Got here just fine...
getfenv is: function
Process Complete.

 

So you can see the code is executing and that getfenv is a recognized function, but as soon as getfenv() is called, the process ends.

 

Any thoughts? If Leadwerks was using Lua 5.2, I'd just use load with a target environment as a parameter, but I'm having to do things the 5.1 way.

Link to comment
Share on other sites

This is a snippet from a post regarding the Leadwerks 3.1 beta, I'm not positive because I don't really use Lua, but I think this may be the source of your issue:

 

What's New

...

  • System::GetProperty will return a command-line argument or application setting, in that order of preference. You can now set values with System::SetProperty. Your game's settings will automatically be saved in a config file and reloaded next time you run it. This file is located in the OS app data directory. Lua file write commands will be blocked in the future in order to safely sandbox Lua on Steam, so use this instead.

 

I believe Josh had to disable direct file I/O for security.

Link to comment
Share on other sites

I actually ended up un-sandboxing Leadwerks before release, because people were asking about special LuaJIT features.

 

The interpreter initialize function does call luaL_openlibs(L). I have never used setfenv before in Lua, and don't know if it requires loading of additional libraries or anything like that. Here's the stuff that gets loaded:

static const luaL_Reg lualibs[] = {
{"", luaopen_base},
{LUA_LOADLIBNAME, luaopen_package},//Load DLLs
{LUA_TABLIBNAME, luaopen_table},//table
{LUA_IOLIBNAME, luaopen_io},//File IO
{LUA_OSLIBNAME, luaopen_os},//OS
{LUA_STRLIBNAME, luaopen_string},//string
{LUA_MATHLIBNAME, luaopen_math},//math
{LUA_DBLIBNAME, luaopen_debug},//debug
{NULL, NULL}
};

My job is to make tools you love, with the features you want, and performance you can't live without.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...