From fc811c67fbd4b110a8f84d4b589c2212c4061312 Mon Sep 17 00:00:00 2001 From: Evil Factory <36804725+evilfactory@users.noreply.github.com> Date: Sun, 3 Oct 2021 19:27:27 -0300 Subject: [PATCH] basic file sandboxing --- .../SharedSource/Lua/LuaClasses.cs | 47 +++++++++++++++++++ .../SharedSource/Lua/LuaSetup.cs | 4 ++ 2 files changed, 51 insertions(+) diff --git a/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaClasses.cs b/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaClasses.cs index d7da977a2..ca96a5f29 100644 --- a/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaClasses.cs +++ b/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaClasses.cs @@ -352,23 +352,64 @@ namespace Barotrauma { // TODO: SANDBOXING + public static bool IsPathAllowed(string path) + { + path = Path.GetFullPath(path).CleanUpPath(); + + if (path.StartsWith(Path.GetFullPath("Mods").CleanUpPath())) + return true; + + if (path.StartsWith(Path.GetFullPath("Submarines").CleanUpPath())) + return true; + + if (path.StartsWith(Path.GetFullPath("Data").CleanUpPath())) + return true; + + if (path.StartsWith(Path.GetFullPath("Lua").CleanUpPath())) + return true; + + return false; + } + + public static bool IsPathAllowedLuaException(string path) + { + if (IsPathAllowed(path)) + return true; + else + luaSetup.HandleLuaException(new Exception("File access to \"" + path + "\" not allowed.")); + + return false; + } + public static string Read(string path) { + if (!IsPathAllowedLuaException(path)) + return ""; + return File.ReadAllText(path); } public static void Write(string path, string text) { + if (!IsPathAllowedLuaException(path)) + return; + File.WriteAllText(path, text); } public static bool Exists(string path) { + if (!IsPathAllowedLuaException(path)) + return false; + return File.Exists(path); } public static bool DirectoryExists(string path) { + if (!IsPathAllowedLuaException(path)) + return false; + return Directory.Exists(path); } @@ -379,11 +420,17 @@ namespace Barotrauma public static string[] GetDirectories(string path) { + if (!IsPathAllowedLuaException(path)) + return new string[] { }; + return Directory.GetDirectories(path); } public static string[] DirSearch(string sDir) { + if (!IsPathAllowedLuaException(sDir)) + return new string[] { }; + List files = new List(); try diff --git a/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaSetup.cs b/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaSetup.cs index 02703f3a7..8ac6b0b01 100644 --- a/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaSetup.cs +++ b/Barotrauma/BarotraumaShared/SharedSource/Lua/LuaSetup.cs @@ -96,6 +96,8 @@ namespace Barotrauma public DynValue DoFile(string file, Table globalContext = null, string codeStringFriendly = null) { + if(!LuaFile.IsPathAllowedLuaException(file)) return null; + try { return lua.DoFile(file, globalContext, codeStringFriendly); @@ -127,6 +129,8 @@ namespace Barotrauma public DynValue LoadFile(string file, Table globalContext = null, string codeStringFriendly = null) { + if (!LuaFile.IsPathAllowedLuaException(file)) return null; + try { return lua.LoadFile(file, globalContext, codeStringFriendly);