Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix metatable security. #309

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix metatable security. #309

wants to merge 2 commits into from

Conversation

Mellnik
Copy link

@Mellnik Mellnik commented Jan 19, 2023
edited
Loading

From LuaBridge documentation:

Metatables have __metatable set to a boolean value. Scripts cannot obtain the metatable from a LuaBridge object.

According to Lua docuemtation the field must be set to prevent tampering with it.
Setting it to nil as it is currently done, effectively does nothing.

I went back to LuaBridge 1.0.0 where is was still correctly a boolean. Since 1.0.2 it changed to nil.

This makes me wonder if there are more security issues with LuaBridge...

Edit:
I forgot to mention that setting __metatable when constructing Namespace is missing completely. I've also added that to the PR.

@Mellnik
Set __metatable to false instead of nil
8a048b5 
According to LuaBridge documentation the __metatable field is set to false. But apparently this is not the case. Resulting in scripts being able to tamper with them.
@Mellnik
Also set __metatable when constructing a Namespace
e8fd86f 
It seems that __metatable is not hidden for new namespaces.
@Mellnik Mellnik mentioned this pull request Jan 19, 2023
Open
dmitry-t
dmitry-t requested changes Jan 26, 2023
View reviewed changes
Source/LuaBridge/detail/Namespace.h
Comment on lines +1044 to +1049
if (Security::hideMetatables())
{
lua_pushboolean(L, 0);
rawsetfield(L, -2, "__metatable");
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spaces should be used instead of tabs.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mellnik ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it okay for you when you just push the change under your name?

@dmitry-t
Copy link
Collaborator

dmitry-t commented Mar 4, 2023

Can you add a unit test which fails with the original implementation and works with the change?
I'll gladly help once I have time.

@Mellnik
Copy link
Author

Mellnik commented Mar 4, 2023

The LuaBridge3 repo copied my fix last week + a unit test. Use that?
kunitoki/LuaBridge3@cca9b2f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmitry-t dmitry-t dmitry-t requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mellnik @dmitry-t