luanti/src/script/cpp_api/s_security.h

// Luanti
// SPDX-License-Identifier: LGPL-2.1-or-later
// Copyright (C) 2013 celeron55, Perttu Ahola <celeron55@gmail.com>

#pragma once

#include "cpp_api/s_base.h"


#define CHECK_SECURE_PATH_INTERNAL(L, path, write_required, ptr) \
	if (!ScriptApiSecurity::checkPath(L, path, write_required, ptr)) { \
		throw LuaError(std::string("Mod security: Blocked attempted ") + \
				(write_required ? "write to " : "read from ") + path); \
	}
#define CHECK_SECURE_PATH(L, path, write_required) \
	if (ScriptApiSecurity::isSecure(L)) { \
		CHECK_SECURE_PATH_INTERNAL(L, path, write_required, NULL); \
	}
#define CHECK_SECURE_PATH_POSSIBLE_WRITE(L, path, ptr) \
	if (ScriptApiSecurity::isSecure(L)) { \
		CHECK_SECURE_PATH_INTERNAL(L, path, false, ptr); \
	}


class ScriptApiSecurity : virtual public ScriptApiBase
{
public:
	// Sets up security on the ScriptApi's Lua state
	void initializeSecurity();
	void initializeSecurityClient();
	// Checks if the Lua state has been secured
	static bool isSecure(lua_State *L);
	// Loads a string as Lua code safely (doesn't allow bytecode).
	static bool safeLoadString(lua_State *L, const std::string &code, const char *chunk_name);
	// Loads a file as Lua code safely (doesn't allow bytecode).
	static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = NULL);
	// Check if mod is whitelisted in the given setting
	// This additionally checks that the mod's main file scope is executing.
	static bool checkWhitelisted(lua_State *L, const std::string &setting);
	// Checks if mods are allowed to read (and optionally write) to the path
	static bool checkPath(lua_State *L, const char *path, bool write_required,
			bool *write_allowed=NULL);

private:
	int getThread(lua_State *L);
	// sets the enviroment to the table thats on top of the stack
	void setLuaEnv(lua_State *L, int thread);
	// creates an empty Lua environment
	void createEmptyEnv(lua_State *L);

	// Syntax: "sl_" <Library name or 'g' (global)> '_' <Function name>
	// (sl stands for Secure Lua)

	static int sl_g_dofile(lua_State *L);
	static int sl_g_load(lua_State *L);
	static int sl_g_loadfile(lua_State *L);
	static int sl_g_loadstring(lua_State *L);
	static int sl_g_require(lua_State *L);

	static int sl_io_open(lua_State *L);
	static int sl_io_input(lua_State *L);
	static int sl_io_output(lua_State *L);
	static int sl_io_lines(lua_State *L);

	static int sl_os_rename(lua_State *L);
	static int sl_os_remove(lua_State *L);
	static int sl_os_setlocale(lua_State *L);
};
Replace licensing text in headers (LGPLv2.1) (#15321) 2024-10-28 15:57:39 +01:00			`// Luanti`
			`// SPDX-License-Identifier: LGPL-2.1-or-later`
			`// Copyright (C) 2013 celeron55, Perttu Ahola <celeron55@gmail.com>`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00
C++ modernize: Pragma once (#6264) * Migrate cpp headers to pragma once 2017-08-17 22:19:39 +02:00			`#pragma once`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00
			`#include "cpp_api/s_base.h"`


Mod security: Allow read-only access to all mod paths 2016-12-05 19:59:15 +00:00			`#define CHECK_SECURE_PATH_INTERNAL(L, path, write_required, ptr) \`
			`if (!ScriptApiSecurity::checkPath(L, path, write_required, ptr)) { \`
			`throw LuaError(std::string("Mod security: Blocked attempted ") + \`
			`(write_required ? "write to " : "read from ") + path); \`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`}`
Mod security: Allow read-only access to all mod paths 2016-12-05 19:59:15 +00:00			`#define CHECK_SECURE_PATH(L, path, write_required) \`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`if (ScriptApiSecurity::isSecure(L)) { \`
Mod security: Allow read-only access to all mod paths 2016-12-05 19:59:15 +00:00			`CHECK_SECURE_PATH_INTERNAL(L, path, write_required, NULL); \`
			`}`
			`#define CHECK_SECURE_PATH_POSSIBLE_WRITE(L, path, ptr) \`
			`if (ScriptApiSecurity::isSecure(L)) { \`
			`CHECK_SECURE_PATH_INTERNAL(L, path, false, ptr); \`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`}`


			`class ScriptApiSecurity : virtual public ScriptApiBase`
			`{`
			`public:`
			`// Sets up security on the ScriptApi's Lua state`
			`void initializeSecurity();`
[CSM] Improve security for client-sided mods (#5100) 2017-01-28 16:24:25 +00:00			`void initializeSecurityClient();`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`// Checks if the Lua state has been secured`
			`static bool isSecure(lua_State *L);`
Refactor loading of Lua code with mod security 2019-11-08 18:35:32 +01:00			`// Loads a string as Lua code safely (doesn't allow bytecode).`
			`static bool safeLoadString(lua_State L, const std::string &code, const char chunk_name);`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`// Loads a file as Lua code safely (doesn't allow bytecode).`
Create a filesystem abstraction layer for CSM and only allow accessing files that are scanned into it. (#5965) * Load client-side mods into memory before executing them. This removes the remaining filesystem access that client-sided mods had and it will hopefully make then more secure. * Lua Virtual filesystem: don't load the files into memory just scan the filenames into memory. * Fix the issues with backtrace * fix most of the issues * fix code style. * add a comment 2017-06-30 19:14:39 +01:00			`static bool safeLoadFile(lua_State L, const char path, const char *display_name = NULL);`
Refactor trusted mod checking code 2021-12-17 19:04:46 +01:00			`// Check if mod is whitelisted in the given setting`
			`// This additionally checks that the mod's main file scope is executing.`
			`static bool checkWhitelisted(lua_State *L, const std::string &setting);`
Deprecate writing to mod directories (#14486) 2024-03-27 18:32:05 +00:00			`// Checks if mods are allowed to read (and optionally write) to the path`
			`static bool checkPath(lua_State L, const char path, bool write_required,`
			`bool *write_allowed=NULL);`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00
			`private:`
Refactor trusted mod checking code 2021-12-17 19:04:46 +01:00			`int getThread(lua_State *L);`
			`// sets the enviroment to the table thats on top of the stack`
			`void setLuaEnv(lua_State *L, int thread);`
			`// creates an empty Lua environment`
			`void createEmptyEnv(lua_State *L);`

Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`// Syntax: "sl_" <Library name or 'g' (global)> '_' <Function name>`
			`// (sl stands for Secure Lua)`

			`static int sl_g_dofile(lua_State *L);`
			`static int sl_g_load(lua_State *L);`
			`static int sl_g_loadfile(lua_State *L);`
			`static int sl_g_loadstring(lua_State *L);`
			`static int sl_g_require(lua_State *L);`

			`static int sl_io_open(lua_State *L);`
			`static int sl_io_input(lua_State *L);`
			`static int sl_io_output(lua_State *L);`
			`static int sl_io_lines(lua_State *L);`

			`static int sl_os_rename(lua_State *L);`
			`static int sl_os_remove(lua_State *L);`
Minor improvements to Lua sandbox 2022-01-13 22:12:44 +01:00			`static int sl_os_setlocale(lua_State *L);`
Add mod security Due to compatibility concerns, this is temporarily disabled. 2014-09-05 20:08:51 -04:00			`};`