From 1be9c614d16ee8f059805a49d68f04ae30ea56db Mon Sep 17 00:00:00 2001
From: Desour <ds.desour@proton.me>
Date: Tue, 25 Mar 2025 13:32:16 +0100
Subject: [PATCH] remove os.date and string.dump

---
 builtin/common/item_s.lua         |  8 --------
 src/script/cpp_api/s_security.cpp | 28 +++++++++++++++++++++++++---
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/builtin/common/item_s.lua b/builtin/common/item_s.lua
index 8263067d6..2761e41dd 100644
--- a/builtin/common/item_s.lua
+++ b/builtin/common/item_s.lua
@@ -232,14 +232,6 @@ if core.set_read_node and core.set_push_node then
 	core.set_read_node = nil
 
 	local function push_node(content, param1, param2)
-		if false then -- TODO: tmp
-			print(dump(debug.traceback()))
-			--~ error()
-			for i = 0, 10 do
-				print("i="..i)
-				print(dump(debug.getinfo(i)))
-			end
-		end
 		return {name = content2name[content], param1 = param1, param2 = param2}
 	end
 	core.set_push_node(push_node)
diff --git a/src/script/cpp_api/s_security.cpp b/src/script/cpp_api/s_security.cpp
index 277330ae2..c67e040d9 100644
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@@ -408,19 +408,33 @@ void ScriptApiSecurity::initializeSecuritySSCSM()
 		"xpcall",
 		// Completely safe libraries
 		"coroutine",
-		"string", //TODO: string.dump?
 		"table",
 		"math",
 		"bit",
 	};
 	static const char *os_whitelist[] = {
-		"date", // TODO: can crash? (<http://lua-users.org/wiki/SandBoxes>)
 		"difftime",
 		"time"
 	};
 	static const char *debug_whitelist[] = {
 		"getinfo", // used by builtin and unset before mods load //TODO
-		"traceback" //TODO: is this fine, or does it print paths of C functions?
+		"traceback"
+	};
+	static const char *string_whitelist[] = { // all but string.dump
+		"byte",
+		"char",
+		"dump",
+		"find",
+		"format",
+		"gmatch",
+		"gsub",
+		"len",
+		"lower",
+		"match",
+		"rep",
+		"reverse",
+		"sub",
+		"upper"
 	};
 #if USE_LUAJIT
 	static const char *jit_whitelist[] = {
@@ -479,6 +493,14 @@ void ScriptApiSecurity::initializeSecuritySSCSM()
 	lua_pop(L, 1);  // Pop old debug
 
 
+	// Copy safe string functions
+	lua_getglobal(L, "string");
+	lua_newtable(L);
+	copy_safe(L, string_whitelist, sizeof(string_whitelist));
+	lua_setfield(L, -3, "string");
+	lua_pop(L, 1);  // Pop old string
+
+
 #if USE_LUAJIT
 	// Copy safe jit functions, if they exist
 	lua_getglobal(L, "jit");