Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(scripting/lua): add missing debug func (getlocal, setlocal, setupvalue) in lua debug sandbox #3026

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

eryxiz
Copy link

@eryxiz eryxiz commented Dec 21, 2024

Goal of this PR

Add missing functions in debug library to new sandboxed lua debug.

  • debug.setupvalue
  • debug.getlocal
  • debug.setlocal

How is this PR achieving the goal

Added the functions (debug.setupvalue, debug.getlocal, debug.setlocal) based on lua debug API.
The functions in the debug library can't access variables, code, or files outside the scope of a resource, so they shouldn’t have any impact on exploiting servers.

This PR applies to the following area(s)

ScRT: Lua

Successfully tested on

Platforms: Windows

Checklist

  • Code compiles and has been tested successfully.
  • Code explains itself well and/or is documented.
  • My commit message explains what the changes do and what they are for.
  • No extra compilation warnings are added by these changes.

Fixes issues

Related issue #3010
(debug.gethook, debug.sethook not including in this PR)

@github-actions github-actions bot added the ScRT: Lua Issues/PRs related to the Lua scripting runtime label Dec 21, 2024
@Mathu-lmn
Copy link
Contributor

Hey, these function were removed for a reason, I'll let a member of the cfx team confirm that but it's not planned to add them !

@github-actions github-actions bot added the invalid Requires changes before it's considered valid and can be (re)triaged label Dec 21, 2024
@eryxiz
Copy link
Author

eryxiz commented Dec 21, 2024

Hey, these function were removed for a reason, I'll let a member of the cfx team confirm that but it's not planned to add them !

I understand that the reason for removing it is to prevent server exploits. However, as far as I know, the debug library currently operates within the scope of its own resource. So, I’m curious—how could someone exploit a server using these debug library functions when they’re limited to their own resource? This is different from the io library, which previously allowed full permission to read/write files anywhere.

@AvarianKnight
Copy link
Contributor

Having these debug hooks can give users access to the scheduler, which isn't desired behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid Requires changes before it's considered valid and can be (re)triaged ScRT: Lua Issues/PRs related to the Lua scripting runtime
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants