1

I want to block the io library so that community created scripts don't have access to it.

I could simply create a Lua state without it, but here's the dilemma: community scripts should still be able to use the io library by calling loadfile() on libraries created by the dev team that have wrapped io functions in them.

I found no way to achieve this duality of blocking functions/libraries from community scripts while still allowing said scripts to run the offending functions/libraries if they are wrapped (for sanitization purposes) in another dev-maintainted library which community scripts can load with loadfile(). I'm resorting to the ugly method of blacklisting certain strings so if the script has them, it doesn't run. BTW, the blacklist is checked from the C++ side where the script to run is a string variable that is fed to the VM if it's clean.

If I blacklist...

"_G", "io.", "io .", "io}", "io }", "io  ", "=io", "= io", "{io", "{ io", ",io", ", io", "  io"

...is it still possible to call io library functions, or do I have everything covered? The reason blocking _G is a must is this:

a = "i"
b = "o"
boom = _G[a..b]

I want to know if another 'hack' is possible. Also, I welcome alternatives on how I can achieve the aforementioned duality without blacklisting strings.

John D.
  • 19
  • 4
  • you're missing `io,`, but I don't think it's a good idea to do this kind of thing. Maybe you'd rather do something like this: https://stackoverflow.com/questions/1224708/how-can-i-create-a-secure-lua-sandbox ; So you can run your *elevated* Lua scripts in the normal Sandbox and community scripts in a restricted one. Be careful not to leak the elevated environment. – dualed Sep 30 '19 at 10:46

1 Answers1

0

Write your own loadfile function that will check the location of the loaded files (presumably all dev-maintained libraries have a defined location) and add the io library to the environment available to the loaded scripts (using env parameter in Lua 5.2+). The sandbox itself won't have access to the io library, but the dev libraries will.

Paul Kulchenko
  • 25,884
  • 3
  • 38
  • 56
  • Yes, dev-maintained libraries have a defined location. But if the sandbox lacks access to the io library, will the community script — which must be able to load dev libraries — be able to run io functions? I'm having trouble understanding how it would work, are you suggesting I mix environments? Is it even possible? – John D. Sep 27 '19 at 03:41