Menu
I was just working on a localizable Lua string solution, when I came up with this hack, problem is I don't know how to avoid getting hacked by it :) So I was wondering if anyone, has done something similar and or knows how to protect from this kind of attack. (in user code)
Since we can do this:
=("foo"):upper() -->output: FOO
It can be hacked like this:
getmetatable("foo").__index.upper = function() print("bye bye sucker");os.exit() end
=("foo"):upper() -->output: bye bye sucker (application quits)
-- or this way
=string.upper("bar") -->output: bye bye sucker (application quits)
Any ideas?
962
Passing a level 0 avoids the addition of error position information to the message. In Lua programming, in order to avoid throwing these errors and handling errors, we need to use the functions pcall or xpcall. The pcall (f, arg1, ...) function calls the requested function in protected mode.
If the Lua errors WoW is caused by a glitch, you can force the game to reload the main game screen to fix the problem. Here is the guide: Step 1: Open your chatbox in WoW.
The point of obfuscating your Lua code is to prevent the casual hacker from gaining easy access to your game logic. There are several options for obfuscation: Running Lua files through luac:You can compile your Lua files using luac.
Encrypting your compiled Lua files:After compiling all of your Lua files using luac, you can also encrypt them. You must then hide your encryption key somewhere. The easiest approach is simply to hide the key in your app, but it's also the most vulnerable.
First and foremost execute untrusted code in sandboxed environment only – as it was said by other posters. Except for loading bytecode chunks, Lua allows all other sandboxing issues to be covered. (And bytecode chunk problems get fixed promptly as discovered.)
See Lua Live Demo for an example of sandboxing. Sources are available here.
Your specific problem with metatables is solved by setting a __metatable field:
If you set a
__metatablefield in the metatable,getmetatablewill return the value of this field, whereassetmetatablewill raise an error.– Roberto Ierusalimschy, Programming in Lua 1st edition, 13.3 - Library-Defined Metamethods
For example:
> mt = { __metatable = true }
> t = {}
> setmetatable(t, mt)
> setmetatable(t, mt)
stdin:1: cannot change a protected metatable
stack traceback:
[C]: in function 'setmetatable'
stdin:1: in main chunk
[C]: ?
So, all you have to do is:
getmetatable("").__metatable = true
If your hacker has the ability to add code, and you need to allow that code to call things like os.exit, then you're pretty much out of luck anyway.
You can restrict the functions that their code can call, though. It depends on what you still want user code to be able to do. See the doc for setfenv and google for "lua sandbox"
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
