lua - ROBLOX sandboxing -

-

i new sandboxing in lua, , learn how filter stuff :getchildren() or :kick().

this have far:

function safegetchildren(obj)     local objs = {}     _,v in pairs(obj)         if not v.name:match("^^")             table.insert(objs, v.name)         end     end      return objs end  function safeclearallchildren(obj)     if obj:isa("player") or obj:isa("players") or obj:isa("workspace") or obj:isa("serverscriptservice") or obj:isa("lighting") or obj:isa("replicatedstorage") or obj:isa("startergui")         return error("cannot clear object!");     else         obj:clearallchildren();     end end  function saferemoveobject(obj)     local name = obj.name:lower();      if obj:isa("player") or  name == "remoteevents" or obj.parent == "remoteevents" or obj.parent == "replicatedstorage" or obj.parent == "startergui" or obj.parent == "serverscriptservice" or obj.parent == "tinysb"         return error("cannot destroy object!");     else         obj:destroy();     end end  local globals = {     -- globals     workspace = workspace,     print = print,     error = error,     table = table,     pairs = pairs,     game = game,     string = string,     _g = _g,     getfenv = getfenv,     loadstring = loadstring,     ipairs = ipairs,     next = next,     os = os,     pcall = pcall,     rawequal = rawequal,     rawget = rawget,     rawset = rawset,     select = select,     setfenv = setfenv,     setmetatable = setmetatable,     tonumber = tonumber,     tostring = tostring,     type = type,     unpack = unpack,     _version = _version,     xpcall = xpcall,     collectgarbage = collectgarbage,     assert = assert,     gcinfo = gcinfo,     coroutine = coroutine,     string = string,     table = table,     math = math,     delay = delay,     loadlibrary = loadlibrary,     printidentity = printidentity,     spawn = spawn,     tick = tick,     time = time,     usersettings = usersettings,     version = version,     wait = wait,     warn = warn,     ypcall = ypcall,     pluginmanager = pluginmanager,     loadrobloxlibrary = loadrobloxlibrary,     settings = settings,     stats = stats,      -- functions     ["require"] = function(...)         return error("cannot require object (api disabled)");     end,     ["getchildren"] = function(...)         return safegetchildren(...);     end,     ['children'] = function(...)         return safegetchildren(...);     end,     ['clearallchildren'] = function(...)         return safeclearallchildren(...);     end,     ['destroy'] = function(...)         return saferemoveobject(...);     end,     ['remove'] = function(...)         return saferemoveobject(...);     end,     ['kick'] = function(...)         return saferemoveobject(...);     end,     ['saveplace'] = function(...)         return error("cannot save place (api disabled)");     end } setfenv(1, globals) table.foreach(workspace:getchildren(), print)

i made in few hours things :getchildren() aren't filtered in environment. if can me explanation on each part of code required help.

  you're setting safe wrapper under name 'getchildren' in new environment. later, when testing, you're calling 'getchildren', taken 'workspace' table, , not global variable in new environment.
  replacing function in global environment doesn't mean replacing functions same name in tables/objects. work, object must call function current global environment, , not function internal tables or lexical closures.


Comments

Post a Comment

Popular posts from this blog

c++ - llvm function pass ReplaceInstWithInst malloc -

-
#include "llvm/pass.h" #include "llvm/ir/module.h" #include "llvm/ir/function.h" #include "llvm/support/raw_ostream.h" #include "llvm/ir/legacypassmanager.h" #include "llvm/ir/instrtypes.h" #include "llvm/transforms/ipo/passmanagerbuilder.h" #include "llvm/ir/irbuilder.h" #include "llvm/transforms/utils/basicblockutils.h" using namespace llvm; namespace { struct replacepass : public functionpass { static char id; replacepass() : functionpass(id) {} virtual bool runonfunction(function &f) { allocainst* insttoreplace = ??? basicblock::iterator ii(insttoreplace); replaceinstwithinst(insttoreplace->getparent()->getinstlist(), ii, new allocainst(type::int32ty, 0, insttoreplace)); return true; } }; } char replacepass::id = 0; static void registerreplacepass(const passmanagerbuilder &, legacy::passmanagerbase &pm) { pm.add(new re
Read more

java.lang.NoClassDefFoundError When Creating New Android Project -

-
i've tried installing (and re-installing) android studio several times now, , each time, studio isn't able create new android project. when attempt initial android studio window (ie. basic 'create', 'open', 'import' etc options), i'm asked of questions in wizard, brief progress dialog, followed nothing @ all. if open incomplete project process creates choosing 'open' list, can try choosing create new android project menu. this has same issue, error message in output console time... java.lang.noclassdeffounderror: com/sun/xml/internal/bind/v2/model/annotation/annotationreader (wrong name: com/sun/xml/internal/bind/v0/model/qnnotation/annotationreader) note: when installed android studio, installed incompatible jdk (1.8, not 1.7). have had go default project settings change jdk uses 1.8. does know how can avoid this? there place should downloading jxb classes? missing in java paths? this appears have been caused cor
Read more

Decoding a Python 2 `tempfile` with python-future -

-
i'm attempting write python 2/3 compatible routine fetch csv file, decode latin_1 unicode , feed csv.dictreader in robust, scalable manner. for python 2/3 support, i'm using python-future including imporing open builtins , , importing unicode_literals consistent behaviour i'm hoping handle exceptionally large files spilling disk, using tempfile.spooledtemporaryfile i'm using io.textiowrapper handle decoding latin_1 encoding before feeding dictreader this works fine under python 3. the problem textiowrapper expects wrap stream conforms bufferediobase . unfortunately under python 2, although have imported python 3-style open , vanilla python 2 tempfile.spooledtemporaryfile still of course returns python 2 cstringio.stringo , instead of python 3 io.bytesio required textiowrapper . i can think of these possible approaches: wrap python 2 cstringio.stringo python 3-style io.bytesio . i'm not sure how approach - need write such wrapper or 1 ex
Read more