New SRB2 Version and Lua

Hello everyone, I think it has been over a year since I've posted, but since I've got on last I've went and learned several programming languages, one of them Lua, but I'm not here to tell you about my hobbies, but the announcement on www.srb2.org about implementing Lua into the scripting system caught my eye. Even though this is a major step in the right direction, I am curious about how code coming into the game is sandboxed. Now keep in mind that I know Lua, but am not familiar with the C API, so I am writing this from a strictly Lua standpoint.

So here's my point: People seem to forget that Lua is not only a customizing game script, it is a full fledged programming language. So I am wondering what is going to keep code coming in from a SRB2 server from executing os.execute() and crashing my computer.

C WAY TO FIX THIS
jk, I don't know anything about the C API

Lua WAY TO FIX THIS
Lua has the ability to sandbox itself, since everything is an anonymous value, you can change a function to a new one. To demonstrate

os.execute = function() do end end

this deactivates the os.execute() function
this should be done with assert, the os functions, etc.

Sonic Team Junior probably have already straightened this out, but I thought I should just bring it to everyones attention.

There is no os library in SRB2's lua implimentation.
There is no io library in SRB2's lua implimentation.
There is no package library in SRB2's lua implimentation.
There is no math library in SRB2's lua implimentation (it has been replaced by fixed point math used throughout the rest of SRB2. you will know it as FRACUNIT, FixedMul, and FixedDiv.)
There is no way to execute arbitrary code in SRB2's lua implimentation. I have torn it all out COMPLETELY.

The only way you will be able to hack into SRB2 and make a Lua script take over your computer doing malicious things is if you actually modify an exe or dll file. wad files and lua scripts by themselves are completely safe, and also the only things that get transferred by joining and leaving a server.

Also the empty do end block inside of the empty function is completely unnecessary, and in fact unless your goal was to replace os.execute with an explicit script error message, you could just as easily set os.execute = nil. What I have done is essentially equivalent of os = nil.

Thanks, this makes me feel better, but be warned, people have used custom compilers to compile raw Lua bytecode into working compiled Lua scripts. Since compiled bytecode runs differently than uncompiled scripts, the bytecode can actually hack into and edit the stack on C functions. Removing the loadString() function usually fixes this exploit.

And btw, setting the value to nil is smart, I was thinking of the way they demonstrated in Programming in Lua. But my way does work, it simply turns the os.execute() into a working function that does nothing, it would not cause a script error.

Just keep in mind that even thought Lua scripts are safe, efficient ways to modify a game, Lua is a programming language. And Lua scripts are a step riskier than SOC files. Even if there is no malicious threat, it is always possible for compiled Lua bytecode to be doctored up in a custom compiler to gain an unfair advantage.

I am also curious to know whether SRB2 Lua scripts will need to be compiled or be accepted in text format.

[Here is where I am an idiot and completely misunderstood JTE]

jcokeinfinity said:

And it's hard to tell how you said that to me seeing as we are talking through text, but it sounded like you treated me like an idiot, and if you did, I request that you not brush me off like that. I am working on my second game now and wish to be treated like a competent programmer. But if that wasn't the attitude you meant, then ok.

Click to expand...

I'm going to treat you like an idiot for taking offense to an explanation clearly directed at everyone reading the thread. Sure, you probably know a lot of the stuff written in JTE's response, but many of the people in the community don't, so he wrote it out to make sure it was clear to everyone. Being an elitist jerk is one thing, but taking offense when another person goes out of their way to be helpful to people that aren't you is beyond unreasonable. If you wish to be treated as a competent programmer, start acting in a respectful manner that might actually cause people to treat you with respect in return.

I wasn't referring to how he said that he had removed certain Lua functions, I was referring to how he blew off what code I had written as being wrong. I am in no way trying to be an elitist jerk, and I wasn't trying to take offense, I was having a hard time interpreting what he meant by what he said (as I clearly stated in my post), unfortunately, I think we are all victims to the fact that we are all communicating through text and it's hard to discern what attitudes we have when we say things. It didn't occur to me that JTE meant his post for the community, and that was poor communicating on my part.
Keep in mind I have the utmost respect for you guys and didn't mean any offense, and if I offended you, I apologize.
I am also sorry if I ever sound elitist, I have come a long way to get where I am at with computers (I am not even out of high school and I have had to self-teach myself without any classes), and people usually don't take me seriously. I guess I have a raw nerve and that is entirely my fault.
Overall I think that this is a major communication error and we all have false impressions of each other, I thought I was being treated like an idiot, and JTE and you probably think I'm a complete jerk.

See, I'm not really offended as much as confused as to why anyone, when unsure if offense or insult was meant, would make a wild accusation like that. I mean, what did you think the response would be? Let's split up the possible results here:

A. You're spot on the money. So what? Calling this out does nothing at best, starts a flamewar at worst.
B. You're dead wrong. You look like a complete and total paranoid idiot at best, and I'm not even going to guess as to the worst opinion someone generated from this incident.

There's basically no result where you win out by making such an accusation. Since that's the case, and especially considering you didn't appear to even be sure that offense was intended, why the hell would you make the accusation to begin with? It's like you didn't think about the possible consequences at all.

Essentially, making such a stupid accusation makes you look like an immature idiot, and would have made you look like an immature idiot even in the alternate universe where you were actually right. You should think things through before you do them, because while in this case the result is that you just look dumb on an internet forum, doing such a thing in real life would basically destroy your stated goal of wanting to be taken seriously by others.

I'm not really following your logic, I don't think that brushing off my acceptable example code as being a massive error doesn't sound like anything but an insult to injury. I have been very civil in my response and very humble about admitting what I did wrong, calling me a paranoid idiot is only intensifying the situation. I think it's a fair thing to feel like I'm being brushed off as a n00b when my example code:

os.execute() = function() do end end

Click to expand...

(which is perfectly legal Lua code)
is interpreted by JTE as:

and in fact unless your goal was to replace os.execute with an explicit script error message

Click to expand...

I have been very nice about not jumping to conclusions by saying that I wasn't sure if I was interpreting what was said the right way, instead of using your syntax:

You look like a complete and total paranoid idiot at best

Click to expand...

It seems I can't resolve a simple misunderstanding about respect for each other like a mature adult and try to talk about it. And when I'm wrong and I apologize for my misunderstanding, I get the following ground into my face:

Essentially, making such a stupid accusation makes you look like an immature idiot

Click to expand...

It's like you didn't think about the possible consequences at all

Click to expand...

because while in this case the result is that you just look dumb on an internet forum

Click to expand...

I have been very polite in what I have said and wanted to clear up any misunderstandings, I was not accusing anyone, I was just unsure about what was meant by what was said. I didn't flatly call anyone an idiot, or accused anyone of not thinking like you have accused me, Mystic.

There's basically no result where you win out by making such an accusation.

Click to expand...

I'm not trying to win anything, if I have a problem with someone, I try to resolve it like a mature adult instead of slinging insults. If I feel someone is publicly insulting me, I'll ask them about it, and if I'm wrong, I'll apologize for my misconception; if I'm right, I'd ask him to please take me seriously. It's a simple mature thing to do. I'm not accusing anyone, and I'm not blaming anyone. I also take none of this personally, despite hostilities and miscommunications I will still have the utmost respect for SRB2 devs.

[EDIT]
Mystic, your response is actually quite humorous seeing as JTE's next post is quite civil after you burst into this conversation guns ablazing, and try to win a 'fight' that wasn't yours. If there is anyone who has inflamed the situation into the inferno it is now, it is you. You kinda bursted in and exasperated the situation.

Calling this out does nothing at best, starts a flamewar at worst.

Click to expand...

JTE and I are getting along well, who is the one starting a flamewar?

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I know I'm not famous for staying on-topic but we've strayed from the point of this thread, I brought up the point that Lua scripts can be compiled from raw Lua bytecode to steal values from the C stack to modify or gain advantage in gameplay. It's still not known by the community whether Lua code will need to be compiled to be compatible with SRB2

I apologize for any negative connotations that appear in my messages. My responses are intended to be purely informative and detailed, addressing everything presented.

On the concern of compiled Lua bytecode, loadstring, loadfile, and others were indeed removed. The loading of compiled Lua bytecode has not yet been completely revoked, since the initial script that is loaded may itself be compiled, but it will probably prove easy enough to either do that or render the bytecode for SRB2 further incompatible with standard Lua (it already is due to bitwise operations being included in the syntax).

At this time we are still discussing the both technical and moral issues with potential "closed source" scripts resulting from a combination of obfuscation and compilation, and it may very well end up that SRB2 will only accept plain text scripts, either by hardcoded limitation or by default. I do not currently understand the full extent to which compiled scripts may mess with things beyond the normal scripting bounds.

Thank you for your kind response, it was sorely needed. I think this whole affair was a bad system of communication, and those of us who are offended are angry about something that was unintended.

So back to the point:
Compiled Lua bytecode can do different things than text Lua code, similar to how compiled machine code can do different things than plain C code.
They were having problems related to this issue on ROBLOX, a guy had been using a custom compiler to write Lua 'Assembly' code. His code was able to hack
into netgames' C stack to gain access to sensitive gamedata and to manipulate gameplay. Even though he was using these to only gain unfair advantages, I'm
not sure of the range of the exploit. ROBLOX said that they had resolved this by removing loadString like you said you have done. But I just wanted to bring up
this point in case someone finds a way around loadString. Keep in mind though, that the enormous task of deciphering the Lua bytecode specification and writing
a working compiler is a very difficult task which makes this exploit near obsolete, but threatening when used.

So will the Lua component of SRB2 be sandboxed on the C side of things, or will there be a sandboxing Lua script loaded on startup? I was also wondering if we could load Lua scripts from autoexec.cfg?

I know that this topic has been a flamewar, but there was something in my last post that needed to be brougth to attention.

Disabling individual functions is not actual "sandboxing". No, I do not have the time or skill to completely split off the Lua interpreter into another process entirely or something like that (which would have its own set of issues to deal with as well)...

The most I can do is completely disallow SRB2 from loading Lua bytecode at all.
If I have to do that, I will. End of story.

Disabling Lua because of ONE member?

I thought he just meant compiled Lua bytecode, not Lua altogether? (Also Lua is not an acronym, I thought we went over that ages ago.)

I understand, and I appreciate what you've done. I think that disabling Lua bytecode would be a smart move even if it makes longer loading times and more bandwidth usage.

To kyllian, I wasn't talking about disabling Lua, I was talking about disabling loading compiled bytecode and sticking to raw text-based Lua scripts. Lua would still work, but it would be loaded through text instead of bytecode.

You know, uncompiled Lua code is really just a false puppet, when the Lua interpreter gets the code in text, it compiles it before executing it. This helps protect the host computer from recieving maliciously tampered bytecode, but it also increases the overhead. That's the challenge of programming, having to decide the better of two evils. But for it's downsides, I think it would be wiser to take the extra overhead in exchange for extra security.