Custom level loading is unsafe!

MarvellousSoft / MarvInc

Zachlike with an immersive storyline told through emails.

https://marvellous.itch.io/marvellous-inc

GNU General Public License v3.0

54 stars 7 forks source link

Custom level loading is unsafe! #255

Closed inguin closed 6 years ago

inguin commented 6 years ago

A malicious custom level author can easily break out of the Lua sandbox by using the global environment (_G) that's passed to the level code. Example exploit:

os = _G.require("os")
os.execute("kcalc")

The environment of the script must be white-listed to contain only safe fields.

RenatoGeh commented 6 years ago

Yes. We are aware of this. The new custom level script includes wrapping the .lua file inside a safe environment.

RenatoGeh commented 6 years ago

Taken care of in #257. This PR should be in production once reviewers give their ok.