tecu tries to learn - c++, lua - creating a sandbox
(sorry if this is too off-topic)
i have a ridiculous amount of free time at the moment (unemployed), so i figured i'd be productive and spend some of it learning things. to that end i'm working on a project that includes opengl, c++, and lua. doing this is a little silly: my skill level with opengl and c++ is basically at the beginner level, and the project itself doesn't have a solid goal beyond 'learn stuff'; but you probably don't care about all that. anyway, i spent a short time yesterday trying to figure out the basics of integrating lua and c++ before thinking, 'I NEED TO CREATE A SANDBOX.' and what i'm interested in creating (and why i'm asking this here) is something similar to the wow lua environment: - include base, math, string, and table libs (though no coroutine) - disable reading from or writing to anything outside the lua environment so, after reading the entire internet, i've seen examples of how to create custom environment tables and how to use them for loaded script files. i mostly undrestand these, but it seems like to do this right (while still maintaining the featureset i want) would require knowledge i don't have yet and far more effort than what it would take to, say, just nuking anything in the global table that isn't in my whitelist: Code:
//!! = things to deal with if using a custom env table Code:
lua_pushnil( state ); QUESTIONS: - where's a good place to ask this sort of question? i was thinking of setting up camp on stackoverflow or something. - will what i described be reasonably secure? i'll probably limit the max number of operations or max execution time too, but is there anything else i should watch out for? - are there any big drawbacks that come to mind when messing with the global table like this? - any other thoughts? wellp. thanks for taking the time to read this, and thanks in advance for any feedback! |
From what I know of the Lua environment that WoW uses. WoW initially used Lua 5.0 in vanilla and upgraded to 5.1 in BC. As an open source scripting engine, the source code is available for free download at http://www.lua.org. It's written in pure ANSI C, so you should easily be able to import it into C++.
There are only a few modifications the WoW API made to the core Lua engine:
|
Quote:
|
thanks for the reply, sdphantom.
the libraries are easy enough, i'll just load the ones i want. thanks for the tip on loadstring, i'll take that out of my whitelist. i'll also have to check to make sure my c++ code does not load bytecode, too. and taint's too far down the road for me to worry about yet :D |
Quote:
I was sure it was the premiere of a season, but even that one episode I have on my PSP agrees with you. Quote:
|
hey guys. thought i'd share what i have so far, if anyone's interested.
this is test code, i still need to: - create file path validation - prevent bytecode from loading - decide on what goes into the whitelist - decide what libraries i want - actually incorporate all of this into a class but i thought it was worth sharing for MORE FEEDBACK. and hey maybe it'd help anyone else who is interested, too. main.cpp: Code:
// mylua_test-2: main.cpp Code:
#!/usr/bin/env lua Code:
killing key: xpcall PS: the TODO: MAGIC is there to remind me that i may want to create a second, lua-based sandbox for each script i load so that my c++/lua interface is consistent. |
Killing things like "type", "select", "tonumber", and quite a few other things will severely hamper your sandbox environment. If you want it to be like WoW's environment, why not check to see what WoW allows?
|
you're right, of course. to keep the example simple, i only selected what i thought i would use to scan _G and print its contents. what i actually use will probably end up looking like the whitelist in my first post (without loadstring).
in the end, though, it probably won't be exactly like wow, and i'm okay with that as long as i can run untrusted code 'safely'. |
All times are GMT -6. The time now is 05:56 AM. |
vBulletin © 2024, Jelsoft Enterprises Ltd
© 2004 - 2022 MMOUI