local fs = require("@lune/fs") local luau = require("@lune/luau") local process = require("@lune/process") local serde = require("@lune/serde") local stdio = require("@lune/stdio") local task = require("@lune/task") local regex = require("@lune/regex") local datetime = require("@lune/datetime") local processArgs = table.clone(process.args) local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]") local DEFAULT_PRINT = print local SANDBOXED_ENV = { debugName = filePath, environment = { require = nil, getfenv = nil, setfenv = nil, print = nil, warn = nil, }, } local PROMPT_MSG_TMPL = `allow {SANDBOXED_ENV.debugName} to access %s?` local DENIED_ERR_TMPL = `{SANDBOXED_ENV.debugName} tried to access disallowed library %s!` local function constructSandboxMt(requirePath: string) return function(self, key) local module = require(requirePath) return module[key] end end local function constructProtectedLibMt(libName: string) return function(self, key) local allow: boolean = stdio.prompt("confirm", string.format(PROMPT_MSG_TMPL, libName)) if allow then return constructSandboxMt(`@lune/{libName}`)(self, key) end error(string.format(DENIED_ERR_TMPL, "fs")) end end local function discoverAndReadScript(filePath: string): string local scriptContents: string if fs.isFile(filePath) then scriptContents = fs.readFile(filePath) return scriptContents end if fs.isDir(filePath) then if fs.isFile(filePath .. "/init.luau") then scriptContents = fs.readFile(filePath .. "/init.luau") end if fs.isFile(filePath .. "/init.lua") then scriptContents = fs.readFile(filePath .. "init.lua") end end if scriptContents == nil then for _, ext in { ".luau", ".lua" } do local filePathExt = filePath .. ext if fs.isFile(filePathExt) then scriptContents = fs.readFile(filePathExt) end end if scriptContents == nil then error(`No such file or directory \`{filePath}\``) end end return scriptContents end local function sandboxGetfenv(): {} if table.isfrozen(SANDBOXED_ENV) then return SANDBOXED_ENV.environment end return {} end local function sandboxSetfenv(env: {}): never error("cannot call setfenv from sandbox") end local function sandboxPrint(...: any) DEFAULT_PRINT(`---- Output from {SANDBOXED_ENV.debugName} ----`) DEFAULT_PRINT(...) DEFAULT_PRINT(`---------------------------------------`) end local SANDBOXED_LUNE_STD_LIB = { ["@lune/fs"] = setmetatable({}, { __index = constructProtectedLibMt("fs"), }), ["@lune/luau"] = setmetatable({}, { __index = constructProtectedLibMt("luau") }), ["@lune/process"] = setmetatable({}, { __index = constructProtectedLibMt("process"), }), ["@lune/stdio"] = setmetatable({ write = sandboxPrint, ewrite = sandboxPrint, }, { __index = constructSandboxMt("@lune/stdio"), }), ["@lune/net"] = setmetatable({}, { __index = constructProtectedLibMt("net"), }), ["@lune/roblox"] = setmetatable({ getAuthCookie = function(...) local allowAuthCookie: boolean = stdio.prompt( "confirm", `allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?` ) if allowAuthCookie then local getAuthCookie = constructSandboxMt("@lune/roblox")({}, "getAuthCookie") return getAuthCookie(...) end error( `{SANDBOXED_ENV.debugName} attempted to access .ROBLOSECURITY token even when denied` ) end, }, { __index = constructSandboxMt("@lune/roblox"), }), ["@lune/serde"] = serde, ["@lune/task"] = task, ["@lune/regex"] = regex, ["@lune/datetime"] = datetime, } local function sandboxedRequire(path: string) local module = SANDBOXED_LUNE_STD_LIB[path] if module then return module else local contents = discoverAndReadScript(path) local evalChunk = luau.load(contents, SANDBOXED_ENV) return evalChunk() end end SANDBOXED_ENV.environment.require = sandboxedRequire SANDBOXED_ENV.environment.getfenv = sandboxGetfenv SANDBOXED_ENV.environment.setfenv = sandboxSetfenv SANDBOXED_ENV.environment.print = sandboxPrint SANDBOXED_ENV.environment.warn = sandboxPrint luau.load(discoverAndReadScript(filePath), table.freeze(SANDBOXED_ENV))()