Luanti 5.11.0-dev
 
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Protected Member Functions | Static Protected Member Functions | Private Member Functions | Static Private Member Functions | Private Attributes | List of all members
ScriptApiSecurity Class Referenceabstract

#include <s_security.h>

+ Inheritance diagram for ScriptApiSecurity:
+ Collaboration diagram for ScriptApiSecurity:

Public Member Functions

void initializeSecurity ()
 
void initializeSecurityClient ()
 
- Public Member Functions inherited from ScriptApiBase
 ScriptApiBase (ScriptingType type)
 
 ScriptApiBase ()
 
virtual ~ScriptApiBase ()
 
 DISABLE_CLASS_COPY (ScriptApiBase)
 
void loadMod (const std::string &script_path, const std::string &mod_name)
 
void loadScript (const std::string &script_path)
 
void runCallbacksRaw (int nargs, RunCallbacksMode mode, const char *fxn)
 
void addObjectReference (ServerActiveObject *cobj)
 
void removeObjectReference (ServerActiveObject *cobj)
 
ScriptingType getType ()
 
IGameDefgetGameDef ()
 
ServergetServer ()
 
const std::string & getOrigin ()
 
void setOriginDirect (const char *origin)
 
void setOriginFromTableRaw (int index, const char *fxn)
 
void clientOpenLibs (lua_State *L)
 
void checkSetByBuiltin ()
 

Static Public Member Functions

static bool isSecure (lua_State *L)
 
static void getGlobalsBackup (lua_State *L)
 
static bool safeLoadString (lua_State *L, std::string_view code, const char *chunk_name)
 Loads a string as Lua code safely (doesn't allow bytecode).
 
static bool safeLoadFile (lua_State *L, const char *path, const char *display_name=nullptr)
 Loads a file as Lua code safely (doesn't allow bytecode).
 
static std::string getCurrentModName (lua_State *L)
 Returns the currently running mod, only during init time.
 
static bool checkWhitelisted (lua_State *L, const std::string &setting)
 Check if mod is whitelisted in the given setting.
 
static bool checkPath (lua_State *L, const char *path, bool write_required, bool *write_allowed=nullptr)
 Checks if mods are allowed to read (and optionally write) to the path.
 
- Static Public Member Functions inherited from ScriptApiBase
static std::string getCurrentModNameInsecure (lua_State *L)
 Returns the currently running mod, only during init time.
 

Protected Member Functions

virtual bool modNamesAreTrusted ()
 Specify if the mod names during init time(!) can be trusted.
 
virtual bool checkPathInternal (const std::string &abs_path, bool write_required, bool *write_allowed)=0
 Should check if the given path may be accessed.
 
- Protected Member Functions inherited from ScriptApiBase
lua_State * getStack ()
 
void realityCheck ()
 
void scriptError (int result, const char *fxn)
 
void stackDump (std::ostream &o)
 
void setGameDef (IGameDef *gamedef)
 
EnvironmentgetEnv ()
 
void setEnv (Environment *env)
 
EmergeThreadgetEmergeThread ()
 
void setEmergeThread (EmergeThread *emerge)
 
void objectrefGetOrCreate (lua_State *L, ServerActiveObject *cobj)
 
void pushPlayerHPChangeReason (lua_State *L, const PlayerHPChangeReason &reason)
 
- Protected Member Functions inherited from LuaHelper
template<>
bool readParam (lua_State *L, int index)
 
template<>
s16 readParam (lua_State *L, int index)
 
template<>
int readParam (lua_State *L, int index)
 
template<>
float readParam (lua_State *L, int index)
 
template<>
v2s16 readParam (lua_State *L, int index)
 
template<>
v2f readParam (lua_State *L, int index)
 
template<>
v3f readParam (lua_State *L, int index)
 
template<>
std::string_view readParam (lua_State *L, int index)
 
template<>
std::string readParam (lua_State *L, int index)
 
template<>
std::string_view readParam (lua_State *L, int index)
 Read a string from Lua state L at index without copying it.
 

Static Protected Member Functions

static bool checkPathWithGamedef (lua_State *L, const std::string &abs_path, bool write_required, bool *write_allowed)
 
- Static Protected Member Functions inherited from LuaHelper
template<typename T >
static T readParam (lua_State *L, int index)
 Read a value using a template type T from Lua state L at index.
 
template<typename T >
static T readParam (lua_State *L, int index, const T &default_value)
 Read a value using a template type T from Lua state L at index.
 

Private Member Functions

int getThread (lua_State *L)
 
void setLuaEnv (lua_State *L, int thread)
 
void createEmptyEnv (lua_State *L)
 

Static Private Member Functions

static int sl_g_dofile (lua_State *L)
 
static int sl_g_load (lua_State *L)
 
static int sl_g_loadfile (lua_State *L)
 
static int sl_g_loadstring (lua_State *L)
 
static int sl_g_require (lua_State *L)
 
static int sl_io_open (lua_State *L)
 
static int sl_io_input (lua_State *L)
 
static int sl_io_output (lua_State *L)
 
static int sl_io_lines (lua_State *L)
 
static int sl_os_rename (lua_State *L)
 
static int sl_os_remove (lua_State *L)
 
static int sl_os_setlocale (lua_State *L)
 

Private Attributes

bool m_secure = false
 

Additional Inherited Members

- Protected Attributes inherited from ScriptApiBase
std::recursive_mutex m_luastackmutex
 
std::string m_last_run_mod
 
int m_lock_recursion_count {}
 
std::thread::id m_owning_thread
 

Member Function Documentation

◆ checkPath()

bool ScriptApiSecurity::checkPath ( lua_State * L,
const char * path,
bool write_required,
bool * write_allowed = nullptr )
static

Checks if mods are allowed to read (and optionally write) to the path.

Note
invalid to call in non-secured Lua state

References fs::AbsolutePath(), DIR_DELIM, ModApiBase::getScriptApi(), fs::RemoveLastPathComponent(), and tracestream.

Referenced by ModApiMainMenu::l_may_modify_path().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkPathInternal()

virtual bool ScriptApiSecurity::checkPathInternal ( const std::string & abs_path,
bool write_required,
bool * write_allowed )
protectedpure virtual

Should check if the given path may be accessed.

If write_required is true test for write access, if false test for read access.

Parameters
abs_pathabsolute file/directory path, may not exist
write_requiredwas write access requested?
write_allowedoutput parameter (nullable): set to true if writing is allowed
Returns
true if access is allowed

Implemented in AsyncWorkerThread, ClientScripting, EmergeScripting, MainMenuScripting, and ServerScripting.

◆ checkPathWithGamedef()

bool ScriptApiSecurity::checkPathWithGamedef ( lua_State * L,
const std::string & abs_path,
bool write_required,
bool * write_allowed )
staticprotected

References fs::AbsolutePath(), BUILTIN_MOD_NAME, checkModNameWhitelisted(), DIR_DELIM, g_settings_path, ScriptApiBase::getCurrentModNameInsecure(), fs::GetFilenameFromPath(), ModApiBase::getGameDef(), log_deprecated(), lowercase(), ModSpec::path, SubgameSpec::path, and fs::PathStartsWith().

Referenced by AsyncWorkerThread::checkPathInternal(), EmergeScripting::checkPathInternal(), and ServerScripting::checkPathInternal().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkWhitelisted()

bool ScriptApiSecurity::checkWhitelisted ( lua_State * L,
const std::string & setting )
static

Check if mod is whitelisted in the given setting.

This additionally does main scope checks (see above method).

Note
check is performed even in non-secured Lua state

References checkModNameWhitelisted(), and getCurrentModName().

Referenced by ModApiHttp::l_request_http_api(), and ModApiUtil::l_request_insecure_environment().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ createEmptyEnv()

void ScriptApiSecurity::createEmptyEnv ( lua_State * L)
private

Referenced by initializeSecurity().

+ Here is the caller graph for this function:

◆ getCurrentModName()

std::string ScriptApiSecurity::getCurrentModName ( lua_State * L)
static

Returns the currently running mod, only during init time.

This checks the Lua stack to only permit direct calls in the file scope. That way it is assured that it's really the mod it claims to be.

Returns
mod name or "" on error

References FATAL_ERROR_IF, ScriptApiBase::getCurrentModNameInsecure(), and ModApiBase::getScriptApiBase().

Referenced by checkWhitelisted().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getGlobalsBackup()

void ScriptApiSecurity::getGlobalsBackup ( lua_State * L)
static

References CUSTOM_RIDX_GLOBALS_BACKUP, FATAL_ERROR_IF, and isSecure().

Referenced by call_string_dump(), and ModApiUtil::l_request_insecure_environment().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getThread()

int ScriptApiSecurity::getThread ( lua_State * L)
private

References FATAL_ERROR_IF.

Referenced by initializeSecurity().

+ Here is the caller graph for this function:

◆ initializeSecurity()

void ScriptApiSecurity::initializeSecurity ( )

References copy_safe(), createEmptyEnv(), CUSTOM_RIDX_GLOBALS_BACKUP, ScriptApiBase::getStack(), getThread(), m_secure, remove(), SECURE_API, setLuaEnv(), and shallow_copy_table().

Referenced by AsyncWorkerThread::AsyncWorkerThread(), EmergeScripting::EmergeScripting(), MainMenuScripting::MainMenuScripting(), and ServerScripting::ServerScripting().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ initializeSecurityClient()

void ScriptApiSecurity::initializeSecurityClient ( )
inline

Referenced by ClientScripting::ClientScripting().

+ Here is the caller graph for this function:

◆ isSecure()

bool ScriptApiSecurity::isSecure ( lua_State * L)
static

References ModApiBase::getScriptApiBase().

Referenced by checkSettingSecurity(), getGlobalsBackup(), ModApiUtil::l_request_insecure_environment(), and ScriptApiBase::loadScript().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ modNamesAreTrusted()

virtual bool ScriptApiSecurity::modNamesAreTrusted ( )
inlineprotectedvirtual

Specify if the mod names during init time(!) can be trusted.

It needs to be assured that no tampering happens before any call to loadMod().

Note
disabling this implies that mod whitelisting never works
Returns
boolean value

Reimplemented in ClientScripting, and ServerScripting.

◆ safeLoadFile()

bool ScriptApiSecurity::safeLoadFile ( lua_State * L,
const char * path,
const char * display_name = nullptr )
static

Loads a file as Lua code safely (doesn't allow bytecode).

Warning
path is not validated in any way

References safeLoadString().

Referenced by ScriptApiBase::loadScript(), and sl_g_loadfile().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ safeLoadString()

bool ScriptApiSecurity::safeLoadString ( lua_State * L,
std::string_view code,
const char * chunk_name )
static

Loads a string as Lua code safely (doesn't allow bytecode).

Referenced by safeLoadFile(), sl_g_load(), sl_g_loadfile(), and sl_g_loadstring().

+ Here is the caller graph for this function:

◆ setLuaEnv()

void ScriptApiSecurity::setLuaEnv ( lua_State * L,
int thread )
private

References FATAL_ERROR_IF.

Referenced by initializeSecurity().

+ Here is the caller graph for this function:

◆ sl_g_dofile()

int ScriptApiSecurity::sl_g_dofile ( lua_State * L)
staticprivate

References sl_g_loadfile().

+ Here is the call graph for this function:

◆ sl_g_load()

int ScriptApiSecurity::sl_g_load ( lua_State * L)
staticprivate

References safeLoadString().

+ Here is the call graph for this function:

◆ sl_g_loadfile()

int ScriptApiSecurity::sl_g_loadfile ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, Client, ModApiBase::getScriptApiBase(), ScriptApiBase::getType(), LuaHelper::readParam(), safeLoadFile(), and safeLoadString().

Referenced by sl_g_dofile().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ sl_g_loadstring()

int ScriptApiSecurity::sl_g_loadstring ( lua_State * L)
staticprivate

References safeLoadString().

+ Here is the call graph for this function:

◆ sl_g_require()

int ScriptApiSecurity::sl_g_require ( lua_State * L)
staticprivate

◆ sl_io_input()

int ScriptApiSecurity::sl_io_input ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_io_lines()

int ScriptApiSecurity::sl_io_lines ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_io_open()

int ScriptApiSecurity::sl_io_open ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_io_output()

int ScriptApiSecurity::sl_io_output ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_os_remove()

int ScriptApiSecurity::sl_os_remove ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_os_rename()

int ScriptApiSecurity::sl_os_rename ( lua_State * L)
staticprivate

References CHECK_SECURE_PATH_INTERNAL, and push_original().

+ Here is the call graph for this function:

◆ sl_os_setlocale()

int ScriptApiSecurity::sl_os_setlocale ( lua_State * L)
staticprivate

References push_original().

+ Here is the call graph for this function:

Member Data Documentation

◆ m_secure

bool ScriptApiSecurity::m_secure = false
private

Referenced by initializeSecurity().

The documentation for this class was generated from the following files: