From e3a5c1a3f35a7682f933252b8de4c403daa02519 Mon Sep 17 00:00:00 2001 From: Erica Marigold Date: Wed, 15 May 2024 19:53:05 +0530 Subject: [PATCH] refactor(module): require AoT and provide those instead of checking lune require --- modules/sandbox.luau | 129 ++++++++++++++------------- modules/test.luau | 1 - pages/getting-started/5-security.mdx | 129 ++++++++++++++------------- 3 files changed, 136 insertions(+), 123 deletions(-) delete mode 100644 modules/test.luau diff --git a/modules/sandbox.luau b/modules/sandbox.luau index e22a930..25780c0 100644 --- a/modules/sandbox.luau +++ b/modules/sandbox.luau @@ -1,11 +1,14 @@ local fs = require("@lune/fs") local luau = require("@lune/luau") local process = require("@lune/process") +local serde = require("@lune/serde") local stdio = require("@lune/stdio") -local processArgs = table.clone(process.args) -local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]") +local task = require("@lune/task") + +local processArgs = table.clone(process.args) +local filePath: string = table.remove(processArgs, 1) + or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]") -local DEFAULT_REQUIRE = require local DEFAULT_PRINT = print local SANDBOXED_ENV = { debugName = filePath, @@ -18,6 +21,28 @@ local SANDBOXED_ENV = { }, } +local PROMPT_MSG_TMPL = `allow {SANDBOXED_ENV.debugName} to access %s?` +local DENIED_ERR_TMPL = `{SANDBOXED_ENV.debugName} tried to access disallowed library %s!` + +local function constructSandboxMt(requirePath: string) + return function(self, key) + local module = require(requirePath) + return module[key] + end +end + +local function constructProtectedLibMt(libName: string) + return function(self, key) + local allow: boolean = stdio.prompt("confirm", string.format(PROMPT_MSG_TMPL, libName)) + + if allow then + return constructSandboxMt(`@lune/{libName}`)(self, key) + end + + error(string.format(DENIED_ERR_TMPL, "fs")) + end +end + local function discoverAndReadScript(filePath: string): string local scriptContents: string @@ -66,67 +91,51 @@ local function sandboxPrint(...: any) DEFAULT_PRINT(`---------------------------------------`) end -local function sandboxedRequire(path: string) - if path:find("@lune") then - local module = path:split("/")[2]:gsub("%s", "") +local SANDBOXED_LUNE_STD_LIB = { + ["@lune/fs"] = setmetatable({}, { + __index = constructProtectedLibMt("fs"), + }), + ["@lune/luau"] = luau, + ["@lune/process"] = setmetatable({}, { + __index = constructProtectedLibMt("process"), + }), + ["@lune/stdio"] = setmetatable({ + write = sandboxPrint, + ewrite = sandboxPrint, -- TODO: do this + }, { + __index = constructSandboxMt("@lune/stdio"), + }), + ["@lune/net"] = setmetatable({}, { + __index = constructProtectedLibMt("net"), + }), + ["@lune/roblox"] = setmetatable({ + getAuthCookie = function(...) + local allowAuthCookie: boolean = stdio.prompt( + "confirm", + `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?` + ) - if module == "net" or module == "fs" or module == "process" or module == "roblox" then - local allow: boolean = - stdio.prompt("confirm", `allow {SANDBOXED_ENV.debugName} to access {module}?`) - - if allow then - local moduleRequire = DEFAULT_REQUIRE(path) - - return setmetatable({}, { - __index = function(_, key) - local value = moduleRequire[key] - - if typeof(value) == "function" then - if module == "roblox" and key == "getAuthCookie" then - local allowAuthCookie: boolean = stdio.prompt( - "confirm", - `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?` - ) - - if allowAuthCookie then - return value - end - end - - return function(...) - warn(`{SANDBOXED_ENV.debugName} invoked {key} with args {...}`) - return value(...) - end - end - - if module == "process" and key == "args" then - return processArgs - end - - return value - end, - - __tostring = function() - return stdio.format(moduleRequire) - end, - }) + if allowAuthCookie then + local getAuthCookie = constructSandboxMt("@lune/roblox")({}, "getAuthCookie") + return getAuthCookie(...) end - error(`{SANDBOXED_ENV.debugName} tried to access disallowed library {module}`) - end + error( + `{SANDBOXED_ENV.debugName} attempted to access .ROBLOSECURITY token even when denied` + ) + end, + }, { + __index = constructSandboxMt("@lune/roblox"), + }), + ["@lune/serde"] = serde, + ["@lune/task"] = task, +} - local otherModule = DEFAULT_REQUIRE(path) +local function sandboxedRequire(path: string) + local module = SANDBOXED_LUNE_STD_LIB[path] - if module == "stdio" then - return setmetatable({ - write = sandboxPrint, - ewrite = sandboxPrint, - }, { - __index = otherModule, - }) - end - - return otherModule + if module then + return module else local contents = discoverAndReadScript(path) @@ -135,8 +144,6 @@ local function sandboxedRequire(path: string) end end - - SANDBOXED_ENV.environment.require = sandboxedRequire SANDBOXED_ENV.environment.getfenv = sandboxGetfenv SANDBOXED_ENV.environment.setfenv = sandboxSetfenv diff --git a/modules/test.luau b/modules/test.luau deleted file mode 100644 index 7ce5515..0000000 --- a/modules/test.luau +++ /dev/null @@ -1 +0,0 @@ -print(require("@lune/roblox ").getAuthCookie()) \ No newline at end of file diff --git a/pages/getting-started/5-security.mdx b/pages/getting-started/5-security.mdx index 6fd6ffe..04c11af 100644 --- a/pages/getting-started/5-security.mdx +++ b/pages/getting-started/5-security.mdx @@ -26,11 +26,14 @@ Copy the source below and place it in a file named `sandbox.luau`: local fs = require("@lune/fs") local luau = require("@lune/luau") local process = require("@lune/process") +local serde = require("@lune/serde") local stdio = require("@lune/stdio") -local processArgs = table.clone(process.args) -local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]") +local task = require("@lune/task") + +local processArgs = table.clone(process.args) +local filePath: string = table.remove(processArgs, 1) + or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]") -local DEFAULT_REQUIRE = require local DEFAULT_PRINT = print local SANDBOXED_ENV = { debugName = filePath, @@ -43,6 +46,28 @@ local SANDBOXED_ENV = { }, } +local PROMPT_MSG_TMPL = `allow {SANDBOXED_ENV.debugName} to access %s?` +local DENIED_ERR_TMPL = `{SANDBOXED_ENV.debugName} tried to access disallowed library %s!` + +local function constructSandboxMt(requirePath: string) + return function(self, key) + local module = require(requirePath) + return module[key] + end +end + +local function constructProtectedLibMt(libName: string) + return function(self, key) + local allow: boolean = stdio.prompt("confirm", string.format(PROMPT_MSG_TMPL, libName)) + + if allow then + return constructSandboxMt(`@lune/{libName}`)(self, key) + end + + error(string.format(DENIED_ERR_TMPL, "fs")) + end +end + local function discoverAndReadScript(filePath: string): string local scriptContents: string @@ -91,67 +116,51 @@ local function sandboxPrint(...: any) DEFAULT_PRINT(`---------------------------------------`) end -local function sandboxedRequire(path: string) - if path:find("@lune") then - local module = path:split("/")[2]:gsub("%s", "") +local SANDBOXED_LUNE_STD_LIB = { + ["@lune/fs"] = setmetatable({}, { + __index = constructProtectedLibMt("fs"), + }), + ["@lune/luau"] = luau, + ["@lune/process"] = setmetatable({}, { + __index = constructProtectedLibMt("process"), + }), + ["@lune/stdio"] = setmetatable({ + write = sandboxPrint, + ewrite = sandboxPrint, -- TODO: do this + }, { + __index = constructSandboxMt("@lune/stdio"), + }), + ["@lune/net"] = setmetatable({}, { + __index = constructProtectedLibMt("net"), + }), + ["@lune/roblox"] = setmetatable({ + getAuthCookie = function(...) + local allowAuthCookie: boolean = stdio.prompt( + "confirm", + `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?` + ) - if module == "net" or module == "fs" or module == "process" or module == "roblox" then - local allow: boolean = - stdio.prompt("confirm", `allow {SANDBOXED_ENV.debugName} to access {module}?`) - - if allow then - local moduleRequire = DEFAULT_REQUIRE(path) - - return setmetatable({}, { - __index = function(_, key) - local value = moduleRequire[key] - - if typeof(value) == "function" then - if module == "roblox" and key == "getAuthCookie" then - local allowAuthCookie: boolean = stdio.prompt( - "confirm", - `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?` - ) - - if allowAuthCookie then - return value - end - end - - return function(...) - warn(`{SANDBOXED_ENV.debugName} invoked {key} with args {...}`) - return value(...) - end - end - - if module == "process" and key == "args" then - return processArgs - end - - return value - end, - - __tostring = function() - return stdio.format(moduleRequire) - end, - }) + if allowAuthCookie then + local getAuthCookie = constructSandboxMt("@lune/roblox")({}, "getAuthCookie") + return getAuthCookie(...) end - error(`{SANDBOXED_ENV.debugName} tried to access disallowed library {module}`) - end + error( + `{SANDBOXED_ENV.debugName} attempted to access .ROBLOSECURITY token even when denied` + ) + end, + }, { + __index = constructSandboxMt("@lune/roblox"), + }), + ["@lune/serde"] = serde, + ["@lune/task"] = task, +} - local otherModule = DEFAULT_REQUIRE(path) +local function sandboxedRequire(path: string) + local module = SANDBOXED_LUNE_STD_LIB[path] - if module == "stdio" then - return setmetatable({ - write = sandboxPrint, - ewrite = sandboxPrint, - }, { - __index = otherModule, - }) - end - - return otherModule + if module then + return module else local contents = discoverAndReadScript(path) @@ -160,8 +169,6 @@ local function sandboxedRequire(path: string) end end - - SANDBOXED_ENV.environment.require = sandboxedRequire SANDBOXED_ENV.environment.getfenv = sandboxGetfenv SANDBOXED_ENV.environment.setfenv = sandboxSetfenv