Refactor ScriptApiSecurity for cleaner separation of concerns

src/script/cpp_api/s_security.h

@@ -12,10 +12,12 @@
 		throw LuaError(std::string("Mod security: Blocked attempted ") + \
 				(write_required ? "write to " : "read from ") + path); \
 	}
+
 #define CHECK_SECURE_PATH(L, path, write_required) \
 	if (ScriptApiSecurity::isSecure(L)) { \
-		CHECK_SECURE_PATH_INTERNAL(L, path, write_required, NULL); \
+		CHECK_SECURE_PATH_INTERNAL(L, path, write_required, nullptr); \
 	}
+
 #define CHECK_SECURE_PATH_POSSIBLE_WRITE(L, path, ptr) \
 	if (ScriptApiSecurity::isSecure(L)) { \
 		CHECK_SECURE_PATH_INTERNAL(L, path, false, ptr); \
@@ -27,19 +29,65 @@ class ScriptApiSecurity : virtual public ScriptApiBase
 public:
 	// Sets up security on the ScriptApi's Lua state
 	void initializeSecurity();
+#if CHECK_CLIENT_BUILD()
 	void initializeSecurityClient();
+#else
+	inline void initializeSecurityClient() { assert(0); }
+#endif
+
 	// Checks if the Lua state has been secured
 	static bool isSecure(lua_State *L);
-	// Loads a string as Lua code safely (doesn't allow bytecode).
-	static bool safeLoadString(lua_State *L, const std::string &code, const char *chunk_name);
-	// Loads a file as Lua code safely (doesn't allow bytecode).
-	static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = NULL);
-	// Check if mod is whitelisted in the given setting
-	// This additionally checks that the mod's main file scope is executing.
+	// Leaves the untampered globals (table) on top of the stack
+	static void getGlobalsBackup(lua_State *L);
+
+	/// Loads a string as Lua code safely (doesn't allow bytecode).
+	static bool safeLoadString(lua_State *L, std::string_view code, const char *chunk_name);
+	/// Loads a file as Lua code safely (doesn't allow bytecode).
+	/// @warning path is not validated in any way
+	static bool safeLoadFile(lua_State *L, const char *path, const char *display_name = nullptr);
+
+	/**
+	 * Returns the currently running mod, only during init time.
+	 * This checks the Lua stack to only permit direct calls in the file
+	 * scope. That way it is assured that it's really the mod it claims to be.
+	 * @return mod name or "" on error
+	 */
+	static std::string getCurrentModName(lua_State *L);
+	/// Check if mod is whitelisted in the given setting.
+	/// This additionally does main scope checks (see above method).
+	/// @note check is performed even in non-secured Lua state
 	static bool checkWhitelisted(lua_State *L, const std::string &setting);
-	// Checks if mods are allowed to read (and optionally write) to the path
+
+	/// Checks if mods are allowed to read (and optionally write) to the path
+	/// @note invalid to call in non-secured Lua state
 	static bool checkPath(lua_State *L, const char *path, bool write_required,
-			bool *write_allowed=NULL);
+			bool *write_allowed = nullptr);
+
+protected:
+	// To be implemented by descendants:
+
+	/**
+	 * Specify if the mod names during init time(!) can be trusted.
+	 * It needs to be assured that no tampering happens before any call to `loadMod()`.
+	 * @note disabling this implies that mod whitelisting never works
+	 * @return boolean value
+	 */
+	virtual bool modNamesAreTrusted() { return false; }
+
+	/**
+	 * Should check if the given path may be accessed.
+	 * If `write_required` is true test for write access, if false test for read access.
+	 * @param abs_path absolute file/directory path, may not exist
+	 * @param write_required was write access requested?
+	 * @param write_allowed output parameter (nullable): set to true if writing is allowed
+	 * @return true if access is allowed
+	 */
+	virtual bool checkPathInternal(const std::string &abs_path, bool write_required,
+		bool *write_allowed) = 0;
+
+	// Ready-made implementation of `checkPathInternal` suitable for server-related uses
+	static bool checkPathWithGamedef(lua_State *L, const std::string &abs_path,
+		bool write_required, bool *write_allowed);
 
 private:
 	int getThread(lua_State *L);
@@ -48,6 +96,8 @@ private:
 	// creates an empty Lua environment
 	void createEmptyEnv(lua_State *L);
 
+	bool m_secure = false;
+
 	// Syntax: "sl_" <Library name or 'g' (global)> '_' <Function name>
 	// (sl stands for Secure Lua)