colin/wireplumber
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
17a257ddbe0863d28d24588a95002602f3d8897d
wireplumber/modules/module-lua-scripting/wplua/sandbox.lua
George Kiagiadakis 17a257ddbe wplua: move under modules/module-lua-scripting 
It's unlikely that wplua will ever be useful outside the context
of module-lua-scripting, so let's move it to keep all the code in one place
2022-03-24 09:47:59 +02:00

112 lines
3.3 KiB
Lua
Raw Blame History

-- WirePlumber
--
-- Copyright © 2020 Collabora Ltd.
-- @author George Kiagiadakis <george.kiagiadakis@collabora.com>
--
-- Based on https://github.com/kikito/sandbox.lua
-- Copyright © 2013 Enrique García Cota
--
-- SPDX-License-Identifier: MIT
local SANDBOX_CONFIG = ...
local SANDBOX_ENV = {}
local function populate_env(id)
local module, method = id:match('([^%.]+)%.([^%.]+)')
if module then
SANDBOX_ENV[module] = SANDBOX_ENV[module] or {}
SANDBOX_ENV[module][method] = _G[module][method]
else
SANDBOX_ENV[id] = _G[id]
end
end
-- List of safe functions and packages
if SANDBOX_CONFIG["minimal_std"] then
-- minimal list, used for config files
([[
_VERSION ipairs pairs select tonumber tostring type
table
string.byte string.char string.find string.format string.gmatch
string.gsub string.len string.lower string.match string.reverse
string.sub string.upper
]]):gsub('%S+', populate_env)
else
-- full list, used for scripts
([[
_VERSION assert error ipairs next pairs print
pcall select tonumber tostring type xpcall
table utf8
math.abs math.acos math.asin math.atan math.ceil
math.cos math.deg math.exp math.tointeger math.floor math.fmod
math.huge math.ult math.log math.maxinteger math.mininteger math.max
math.min math.modf math.pi math.rad math.random
math.sin math.sqrt math.tan math.type
string.byte string.char string.find string.format string.gmatch
string.gsub string.len string.lower string.match string.reverse
string.sub string.upper
os.clock os.difftime os.time os.date os.getenv
]]):gsub('%S+', populate_env)
end
-- Additionally export everything in SANDBOX_EXPORT
if type(SANDBOX_EXPORT) == "table" then
for k, v in pairs(SANDBOX_EXPORT) do
SANDBOX_ENV[k] = v
end
end
-- Additionally protect packages from malicious scripts trying to override methods
for k, v in pairs(SANDBOX_ENV) do
if type(v) == "table" then
SANDBOX_ENV[k] = setmetatable({}, {
__index = v,
__newindex = function(_, attr_name, _)
error('Can not modify ' .. k .. '.' .. attr_name .. '. Protected by the sandbox.')
end
})
end
end
if SANDBOX_CONFIG["isolate_env"] then
-- in isolate_env mode, use a separate enviornment for each loaded chunk and
-- store all of them in a global table so that they are not garbage collected
SANDBOX_ENV_LIST = {}
function sandbox(chunk, ...)
-- chunk's environment will be an empty table with __index
-- to access our SANDBOX_ENV (without being able to write it)
local env = setmetatable({}, {
__index = SANDBOX_ENV,
})
-- store the chunk's environment so that it is not garbage collected
table.insert(SANDBOX_ENV_LIST, env)
-- set it as the chunk's 1st upvalue (__ENV)
debug.setupvalue(chunk, 1, env)
-- execute the chunk
chunk(...)
end
else
-- in common_env mode, use the same environment for all loaded chunks
-- chunk's environment will be an empty table with __index
-- to access our SANDBOX_ENV (without being able to write it)
SANDBOX_COMMON_ENV = setmetatable({}, {
__index = SANDBOX_ENV,
})
function sandbox(chunk, ...)
-- set it as the chunk's 1st upvalue (__ENV)
debug.setupvalue(chunk, 1, SANDBOX_COMMON_ENV)
-- execute the chunk
chunk(...)
end
end
Reference in New Issue View Git Blame Copy Permalink