mirror of
https://github.com/Chatterino/chatterino2.git
synced 2024-11-21 22:24:07 +01:00
Remove libraryPermissions in favor of loading safe(ish) stdlib part
This commit is contained in:
parent
16d2d02787
commit
52832b43e5
3 changed files with 19 additions and 48 deletions
|
@ -26,8 +26,6 @@ struct PluginMeta {
|
|||
|
||||
std::vector<QString> tags;
|
||||
|
||||
std::set<QString> libraryPermissions;
|
||||
|
||||
explicit PluginMeta(const QJsonObject &obj)
|
||||
: name(obj.value("name").toString("A Plugin with no name"))
|
||||
, description(obj.value("description").toString("Nothing here"))
|
||||
|
@ -51,17 +49,6 @@ struct PluginMeta {
|
|||
{
|
||||
this->tags.push_back(t.toString());
|
||||
}
|
||||
for (const auto &t : obj.value("library_permissions").toArray())
|
||||
{
|
||||
this->libraryPermissions.insert(t.toString());
|
||||
}
|
||||
}
|
||||
|
||||
bool hasDangerousLibraries()
|
||||
{
|
||||
const auto *perms = &this->libraryPermissions;
|
||||
return perms->contains("io") || perms->contains("package") ||
|
||||
perms->contains("os");
|
||||
}
|
||||
};
|
||||
|
||||
|
|
|
@ -103,29 +103,35 @@ bool PluginController::tryLoadFromDir(const QDir &pluginDir)
|
|||
}
|
||||
void PluginController::openLibrariesFor(lua_State *L, PluginMeta meta)
|
||||
{
|
||||
// copied from linit.c
|
||||
// NOLINTNEXTLINE
|
||||
// Stuff to change, remove or hide behind a permission system:
|
||||
static const std::vector<luaL_Reg> loadedlibs = {
|
||||
luaL_Reg{LUA_GNAME, luaopen_base},
|
||||
luaL_Reg{LUA_LOADLIBNAME, luaopen_package},
|
||||
luaL_Reg{LUA_COLIBNAME, luaopen_coroutine},
|
||||
// - print - writes to stdout, should be replaced with a per-plugin log
|
||||
// - load, loadstring, loadfile, dofile - don't allow bytecode, *require* valid utf8 (which bytecode by design isn't)
|
||||
|
||||
// luaL_Reg{LUA_LOADLIBNAME, luaopen_package},
|
||||
// - explicit fs access, probably best to make our own require() function
|
||||
|
||||
//luaL_Reg{LUA_COLIBNAME, luaopen_coroutine},
|
||||
// - needs special support
|
||||
luaL_Reg{LUA_TABLIBNAME, luaopen_table},
|
||||
luaL_Reg{LUA_IOLIBNAME, luaopen_io},
|
||||
luaL_Reg{LUA_OSLIBNAME, luaopen_os},
|
||||
// luaL_Reg{LUA_IOLIBNAME, luaopen_io},
|
||||
// - explicit fs access, needs wrapper with permissions, no usage ideas yet
|
||||
// luaL_Reg{LUA_OSLIBNAME, luaopen_os},
|
||||
// - fs access
|
||||
// - environ access
|
||||
// - exit
|
||||
luaL_Reg{LUA_STRLIBNAME, luaopen_string},
|
||||
luaL_Reg{LUA_MATHLIBNAME, luaopen_math},
|
||||
luaL_Reg{LUA_UTF8LIBNAME, luaopen_utf8},
|
||||
luaL_Reg{LUA_DBLIBNAME, luaopen_debug},
|
||||
luaL_Reg{NULL, NULL},
|
||||
// luaL_Reg{LUA_DBLIBNAME, luaopen_debug},
|
||||
// - this allows the plugin developer to unleash all hell
|
||||
};
|
||||
|
||||
for (const auto ® : loadedlibs)
|
||||
{
|
||||
if (meta.libraryPermissions.contains(QString(reg.name)))
|
||||
{
|
||||
luaL_requiref(L, reg.name, reg.func, int(true));
|
||||
lua_pop(L, 1);
|
||||
}
|
||||
luaL_requiref(L, reg.name, reg.func, int(true));
|
||||
lua_pop(L, 1);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -93,28 +93,6 @@ void PluginsPage::rebuildContent()
|
|||
pl->addRow("Homepage", homepage);
|
||||
pl->addRow("License", new QLabel(plugin->meta.license));
|
||||
|
||||
QString libString;
|
||||
for (const auto &library : plugin->meta.libraryPermissions)
|
||||
{
|
||||
if (!libString.isEmpty())
|
||||
{
|
||||
libString += ", ";
|
||||
}
|
||||
libString += library;
|
||||
}
|
||||
bool hasDangerous = plugin->meta.hasDangerousLibraries();
|
||||
if (hasDangerous)
|
||||
{
|
||||
libString += "\nDetected potentially dangerous libraries used, be "
|
||||
"careful with this plugin";
|
||||
}
|
||||
auto *libs = new QLabel(libString);
|
||||
if (hasDangerous)
|
||||
{
|
||||
libs->setStyleSheet("color: red");
|
||||
}
|
||||
pl->addRow("Used libraries", libs);
|
||||
|
||||
QString cmds;
|
||||
for (const auto &cmdName : plugin->listRegisteredCommands())
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue