1426 posts
Does anyone put something serious here?
Posted 23 May 2015 - 05:46 PM
This may seem like a bit of an odd question, but what can actually be exploited by the debug library? It seems obvious that the debug library isn't available but I've looking at it I can't see a way to abuse it and escape the sandbox. To clarify I'm not asking for code to abuse the debug library (so I don't feel this can be classed as malicious code) but I'm just curious…
The methods in the Debug API are listed here and the source for LuaJ 2's debug library is here.
.debug: This is simply a REPL loop to allow the ability to get/set/evaluate expressions inside a function. The only issue I can see is that it reads from stdin instead, though I know that you can change that in LuaJ (at least you can in LuaJ 3 which I think Dan is upgrading to).
.getfenv/.setfenv: These are the same as getfenv/setfenv. I guess these would have to be sandboxed the same as getfenv is - though this would probably have to be moved to the Java side.
.gethook/.sethook: CC does add a debug hook to yield inside coroutines which the debug library could technically remove. However as far as I am aware this wouldn't stop 'too long without yielding errors', it just means the computer would crash be more likely to crash on 'too long without yielding' than yield the coroutine.
.getmetatable/.setmetatable: Allows bypassing 'metatable protection' (setmetatable(obj, {__meta = false})). This would need sandboxing the same as normal getfenv.
.getinfo: Gets information about a function such as its name and the line it is defined on. Very useful and I can't see an issue.
.getlocal/.setlocal: Allows getting and setting variables inside functions. This and setupvalue are the most 'unsafe' and wouldn't work with LuaJC.
.getregistry: Only returns a blank table in LuaJ.
.getupvalue: Same as .getlocal but for upvalues. Would work with LuaJC.
.traceback: Provides a stack traceback - though can be currently emulated with pcall.
So the 'exploitable' functions are the local/upvalue/hook functions - but seeing as the sandbox is Java side you can't escape the sandbox with this. There must be something I'm missing.
Extra reading:
OpenComputer's issue on debug.getinfo and source code
The methods in the Debug API are listed here and the source for LuaJ 2's debug library is here.
.debug: This is simply a REPL loop to allow the ability to get/set/evaluate expressions inside a function. The only issue I can see is that it reads from stdin instead, though I know that you can change that in LuaJ (at least you can in LuaJ 3 which I think Dan is upgrading to).
.getfenv/.setfenv: These are the same as getfenv/setfenv. I guess these would have to be sandboxed the same as getfenv is - though this would probably have to be moved to the Java side.
.gethook/.sethook: CC does add a debug hook to yield inside coroutines which the debug library could technically remove. However as far as I am aware this wouldn't stop 'too long without yielding errors', it just means the computer would crash be more likely to crash on 'too long without yielding' than yield the coroutine.
.getmetatable/.setmetatable: Allows bypassing 'metatable protection' (setmetatable(obj, {__meta = false})). This would need sandboxing the same as normal getfenv.
.getinfo: Gets information about a function such as its name and the line it is defined on. Very useful and I can't see an issue.
.getlocal/.setlocal: Allows getting and setting variables inside functions. This and setupvalue are the most 'unsafe' and wouldn't work with LuaJC.
.getregistry: Only returns a blank table in LuaJ.
.getupvalue: Same as .getlocal but for upvalues. Would work with LuaJC.
.traceback: Provides a stack traceback - though can be currently emulated with pcall.
So the 'exploitable' functions are the local/upvalue/hook functions - but seeing as the sandbox is Java side you can't escape the sandbox with this. There must be something I'm missing.
Extra reading:
OpenComputer's issue on debug.getinfo and source code
Edited on 23 May 2015 - 04:02 PM
