lune-org/docs
1
0
Fork 0
mirror of https://github.com/lune-org/docs.git synced 2025-04-04 10:30:55 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix(module): fix some simple sandbox escapes

Browse source
This commit is contained in:
Erica Marigold 2024-05-15 18:27:27 +05:30
parent ec0cf38189
commit 772cd3b1ba
No known key found for this signature in database
GPG key ID: 2768CC0C23D245D1
4 changed files with 53 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
.vscode/settings.json vendored
View file

@ -1,9 +1,11 @@
{ {
"luau-lsp.types.roblox": false, "luau-lsp.types.roblox": false,
"luau-lsp.sourcemap.enabled": false, "luau-lsp.sourcemap.enabled": false,
"luau-lsp.ignoreGlobs": ["temp/**"], "luau-lsp.ignoreGlobs": [
"luau-lsp.require.mode": "relativeToFile", "temp/**"
"luau-lsp.require.directoryAliases": { ],
"@lune/": "~/.lune/.typedefs/0.7.4/" "luau-lsp.require.mode": "relativeToFile",
} "luau-lsp.require.directoryAliases": {
} "@lune/": "~/.lune/.typedefs/0.8.0/"
}
}

27
modules/sandbox.luau
View file

@ -2,9 +2,8 @@ local fs = require("@lune/fs")
local luau = require("@lune/luau") local luau = require("@lune/luau")
local process = require("@lune/process") local process = require("@lune/process")
local stdio = require("@lune/stdio") local stdio = require("@lune/stdio")
local processArgs = table.clone(process.args) local processArgs = table.clone(process.args)
local filePath: string = table.remove(processArgs, 1) local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
local DEFAULT_REQUIRE = require local DEFAULT_REQUIRE = require
local DEFAULT_PRINT = print local DEFAULT_PRINT = print
@ -12,6 +11,10 @@ local SANDBOXED_ENV = {
debugName = filePath, debugName = filePath,
environment = { environment = {
require = nil, require = nil,
getfenv = nil,
setfenv = nil,
print = nil,
warn = nil,
}, },
} }
@ -49,15 +52,23 @@ local function discoverAndReadScript(filePath: string): string
return scriptContents return scriptContents
end end
local function sandboxGetfenv(): {}
return table.freeze(SANDBOXED_ENV)
end
local function sandboxSetfenv(env: {}): never
error("cannot call setfenv from sandbox")
end
local function sandboxPrint(...: any) local function sandboxPrint(...: any)
DEFAULT_PRINT(`---- Output from {SANDBOXED_ENV.debugName} ----`) DEFAULT_PRINT(`---- Output from {SANDBOXED_ENV.debugName} ----`)
DEFAULT_PRINT(...) DEFAULT_PRINT(...)
DEFAULT_PRINT(`---------------------------------------`) DEFAULT_PRINT(`---------------------------------------`)
end end
local function sandboxedRequire<T>(path: string): T local function sandboxedRequire(path: string)
if path:find("@lune") then if path:find("@lune") then
local module = path:split("/")[2] local module = path:split("/")[2]:gsub("%s", "")
if module == "net" or module == "fs" or module == "process" or module == "roblox" then if module == "net" or module == "fs" or module == "process" or module == "roblox" then
local allow: boolean = local allow: boolean =
@ -74,7 +85,7 @@ local function sandboxedRequire<T>(path: string): T
if module == "roblox" and key == "getAuthCookie" then if module == "roblox" and key == "getAuthCookie" then
local allowAuthCookie: boolean = stdio.prompt( local allowAuthCookie: boolean = stdio.prompt(
"confirm", "confirm",
`allow {SANDBOXED_ENV.debugName} to access to .ROBLOSECURITY token?` `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?`
) )
if allowAuthCookie then if allowAuthCookie then
@ -119,12 +130,16 @@ local function sandboxedRequire<T>(path: string): T
else else
local contents = discoverAndReadScript(path) local contents = discoverAndReadScript(path)
local evalChunk: () -> T = luau.load(contents, SANDBOXED_ENV) local evalChunk = luau.load(contents, SANDBOXED_ENV)
return evalChunk() return evalChunk()
end end
end end
SANDBOXED_ENV.environment.require = sandboxedRequire SANDBOXED_ENV.environment.require = sandboxedRequire
SANDBOXED_ENV.environment.getfenv = sandboxGetfenv
SANDBOXED_ENV.environment.setfenv = sandboxSetfenv
SANDBOXED_ENV.environment.print = sandboxPrint SANDBOXED_ENV.environment.print = sandboxPrint
SANDBOXED_ENV.environment.warn = sandboxPrint SANDBOXED_ENV.environment.warn = sandboxPrint
luau.load(discoverAndReadScript(filePath), table.freeze(SANDBOXED_ENV))() luau.load(discoverAndReadScript(filePath), table.freeze(SANDBOXED_ENV))()

1
modules/test.luau Normal file
View file

@ -0,0 +1 @@
print(require("@lune/roblox ").getAuthCookie())

27
pages/getting-started/5-security.mdx
View file

@ -27,9 +27,8 @@ local fs = require("@lune/fs")
local luau = require("@lune/luau") local luau = require("@lune/luau")
local process = require("@lune/process") local process = require("@lune/process")
local stdio = require("@lune/stdio") local stdio = require("@lune/stdio")
local processArgs = table.clone(process.args) local processArgs = table.clone(process.args)
local filePath: string = table.remove(processArgs, 1) local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
local DEFAULT_REQUIRE = require local DEFAULT_REQUIRE = require
local DEFAULT_PRINT = print local DEFAULT_PRINT = print
@ -37,6 +36,10 @@ local SANDBOXED_ENV = {
debugName = filePath, debugName = filePath,
environment = { environment = {
require = nil, require = nil,
getfenv = nil,
setfenv = nil,
print = nil,
warn = nil,
}, },
} }
@ -74,15 +77,23 @@ local function discoverAndReadScript(filePath: string): string
return scriptContents return scriptContents
end end
local function sandboxGetfenv(): {}
return table.freeze(SANDBOXED_ENV)
end
local function sandboxSetfenv(env: {}): never
error("cannot call setfenv from sandbox")
end
local function sandboxPrint(...: any) local function sandboxPrint(...: any)
DEFAULT_PRINT(`---- Output from {SANDBOXED_ENV.debugName} ----`) DEFAULT_PRINT(`---- Output from {SANDBOXED_ENV.debugName} ----`)
DEFAULT_PRINT(...) DEFAULT_PRINT(...)
DEFAULT_PRINT(`---------------------------------------`) DEFAULT_PRINT(`---------------------------------------`)
end end
local function sandboxedRequire<T>(path: string): T local function sandboxedRequire(path: string)
if path:find("@lune") then if path:find("@lune") then
local module = path:split("/")[2] local module = path:split("/")[2]:gsub("%s", "")
if module == "net" or module == "fs" or module == "process" or module == "roblox" then if module == "net" or module == "fs" or module == "process" or module == "roblox" then
local allow: boolean = local allow: boolean =
@ -99,7 +110,7 @@ local function sandboxedRequire<T>(path: string): T
if module == "roblox" and key == "getAuthCookie" then if module == "roblox" and key == "getAuthCookie" then
local allowAuthCookie: boolean = stdio.prompt( local allowAuthCookie: boolean = stdio.prompt(
"confirm", "confirm",
`allow {SANDBOXED_ENV.debugName} to access to .ROBLOSECURITY token?` `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?`
) )
if allowAuthCookie then if allowAuthCookie then
@ -144,12 +155,16 @@ local function sandboxedRequire<T>(path: string): T
else else
local contents = discoverAndReadScript(path) local contents = discoverAndReadScript(path)
local evalChunk: () -> T = luau.load(contents, SANDBOXED_ENV) local evalChunk = luau.load(contents, SANDBOXED_ENV)
return evalChunk() return evalChunk()
end end
end end
SANDBOXED_ENV.environment.require = sandboxedRequire SANDBOXED_ENV.environment.require = sandboxedRequire
SANDBOXED_ENV.environment.getfenv = sandboxGetfenv
SANDBOXED_ENV.environment.setfenv = sandboxSetfenv
SANDBOXED_ENV.environment.print = sandboxPrint SANDBOXED_ENV.environment.print = sandboxPrint
SANDBOXED_ENV.environment.warn = sandboxPrint SANDBOXED_ENV.environment.warn = sandboxPrint
luau.load(discoverAndReadScript(filePath), table.freeze(SANDBOXED_ENV))() luau.load(discoverAndReadScript(filePath), table.freeze(SANDBOXED_ENV))()