Refactor how script api reads current mod name

This is to prevent future mistakes and make it clearer whether the mod name can be trusted depending on how it is retrieved.
2025-08-01 17:38:41 +00:00 · 2024-02-14 13:29:53 +01:00 · 2024-02-14 13:29:53 +01:00 · ce97210eb1
commit ce97210eb1
parent cb5fa56e17
8 changed files with 88 additions and 78 deletions
--- a/src/script/cpp_api/s_base.cpp
+++ b/src/script/cpp_api/s_base.cpp
@ -179,6 +179,7 @@ int ScriptApiBase::luaPanic(lua_State *L)
 	return 0;
 }

+#ifndef SERVER
 void ScriptApiBase::clientOpenLibs(lua_State *L)
 {
 	static const std::vector<std::pair<std::string, lua_CFunction>> m_libs = {
@ -199,6 +200,7 @@ void ScriptApiBase::clientOpenLibs(lua_State *L)
 	    lua_call(L, 1, 0);
 	}
 }
+#endif

 void ScriptApiBase::checkSetByBuiltin()
 {
@ -223,6 +225,45 @@ void ScriptApiBase::checkSetByBuiltin()
 	}
 }

+std::string ScriptApiBase::getCurrentModNameInsecure(lua_State *L)
+{
+	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
+	auto ret = lua_isstring(L, -1) ? readParam<std::string>(L, -1) : "";
+	lua_pop(L, 1);
+	return ret;
+}
+
+std::string ScriptApiBase::getCurrentModName(lua_State *L)
+{
+	auto script = ModApiBase::getScriptApiBase(L);
+	if (script->getType() == ScriptingType::Async ||
+		script->getType() == ScriptingType::Emerge)
+	{
+		// As a precaution never return a "secure" mod name in the async and
+		// emerge environment, because these currently do not track mod origins
+		// in a spoof-safe way (see l_register_async_dofile and l_register_mapgen_script).
+		return "";
+	}
+
+	// We have to make sure that this function is being called directly by
+	// a mod, otherwise a malicious mod could override a function and
+	// steal its return value. (e.g. request_insecure_environment)
+	lua_Debug info;
+
+	// Make sure there's only one item below this function on the stack...
+	if (lua_getstack(L, 2, &info))
+		return "";
+	FATAL_ERROR_IF(!lua_getstack(L, 1, &info), "lua_getstack() failed");
+	FATAL_ERROR_IF(!lua_getinfo(L, "S", &info), "lua_getinfo() failed");
+
+	// ...and that that item is the main file scope.
+	if (strcmp(info.what, "main") != 0)
+		return "";
+
+	// at this point we can trust this value:
+	return getCurrentModNameInsecure(L);
+}
+
 void ScriptApiBase::loadMod(const std::string &script_path,
 		const std::string &mod_name)
 {
--- a/src/script/cpp_api/s_base.h
+++ b/src/script/cpp_api/s_base.h
@ -110,13 +110,29 @@ public:
 	Client* getClient();
 #endif

-	// IMPORTANT: these cannot be used for any security-related uses, they exist
-	// only to enrich error messages
+	// IMPORTANT: These cannot be used for any security-related uses, they exist
+	// only to enrich error messages.
 	const std::string &getOrigin() { return m_last_run_mod; }
 	void setOriginDirect(const char *origin);
 	void setOriginFromTableRaw(int index, const char *fxn);

+	// Returns the currently running mod, only during init time.
+	// The reason this is "insecure" is that mods can mess with each others code,
+	// so the boundary of who is responsible is fuzzy.
+	// Note: checking this against BUILTIN_MOD_NAME is always safe (not spoofable).
+	// returns "" on error
+	static std::string getCurrentModNameInsecure(lua_State *L);
+	// Returns the currently running mod, only during init time.
+	// This checks the Lua stack to only permit direct calls in the file
+	// scope. That way it is assured that it's really the mod it claims to be.
+	// returns "" on error
+	static std::string getCurrentModName(lua_State *L);
+
+#ifdef SERVER
+	inline void clientOpenLibs(lua_State *L) { assert(false); }
+#else
 	void clientOpenLibs(lua_State *L);
+#endif

 	// Check things that should be set by the builtin mod.
 	void checkSetByBuiltin();
--- a/src/script/cpp_api/s_security.cpp
+++ b/src/script/cpp_api/s_security.cpp
@ -555,10 +555,9 @@ bool ScriptApiSecurity::checkPath(lua_State *L, const char *path,
 		return false;

 	// Get mod name
-	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
-	if (lua_isstring(L, -1)) {
-		std::string mod_name = readParam<std::string>(L, -1);
-
+	// FIXME: insecure = problem here?
+	std::string mod_name = ScriptApiBase::getCurrentModNameInsecure(L);
+	if (!mod_name.empty()) {
 		// Builtin can access anything
 		if (mod_name == BUILTIN_MOD_NAME) {
 			if (write_allowed) *write_allowed = true;
@ -578,7 +577,6 @@ bool ScriptApiSecurity::checkPath(lua_State *L, const char *path,
 			}
 		}
 	}
-	lua_pop(L, 1);  // Pop mod name

 	// Allow read-only access to game directory
 	if (!write_required) {
@ -629,26 +627,9 @@ bool ScriptApiSecurity::checkWhitelisted(lua_State *L, const std::string &settin
 {
 	assert(str_starts_with(setting, "secure."));

-	// We have to make sure that this function is being called directly by
-	// a mod, otherwise a malicious mod could override this function and
-	// steal its return value.
-	lua_Debug info;
-
-	// Make sure there's only one item below this function on the stack...
-	if (lua_getstack(L, 2, &info))
+	std::string mod_name = ScriptApiBase::getCurrentModName(L);
+	if (mod_name.empty())
 		return false;
-	FATAL_ERROR_IF(!lua_getstack(L, 1, &info), "lua_getstack() failed");
-	FATAL_ERROR_IF(!lua_getinfo(L, "S", &info), "lua_getinfo() failed");
-
-	// ...and that that item is the main file scope.
-	if (strcmp(info.what, "main") != 0)
-		return false;
-
-	// Mod must be listed in secure.http_mods or secure.trusted_mods
-	lua_rawgeti(L, LUA_REGISTRYINDEX, CUSTOM_RIDX_CURRENT_MOD_NAME);
-	if (!lua_isstring(L, -1))
-		return false;
-	std::string mod_name = readParam<std::string>(L, -1);

 	std::string value = g_settings->get(setting);
 	value.erase(std::remove(value.begin(), value.end(), ' '), value.end());