Remove libraryPermissions in favor of loading safe(ish) stdlib part

src/controllers/plugins/Plugin.hpp

@@ -26,8 +26,6 @@ struct PluginMeta {
 
     std::vector<QString> tags;
 
-    std::set<QString> libraryPermissions;
-
     explicit PluginMeta(const QJsonObject &obj)
         : name(obj.value("name").toString("A Plugin with no name"))
         , description(obj.value("description").toString("Nothing here"))
@@ -51,17 +49,6 @@ struct PluginMeta {
         {
             this->tags.push_back(t.toString());
         }
-        for (const auto &t : obj.value("library_permissions").toArray())
-        {
-            this->libraryPermissions.insert(t.toString());
-        }
-    }
-
-    bool hasDangerousLibraries()
-    {
-        const auto *perms = &this->libraryPermissions;
-        return perms->contains("io") || perms->contains("package") ||
-               perms->contains("os");
     }
 };
 

src/controllers/plugins/PluginController.cpp

@@ -103,29 +103,35 @@ bool PluginController::tryLoadFromDir(const QDir &pluginDir)
 }
 void PluginController::openLibrariesFor(lua_State *L, PluginMeta meta)
 {
-    // copied from linit.c
+    // Stuff to change, remove or hide behind a permission system:
-    // NOLINTNEXTLINE
     static const std::vector<luaL_Reg> loadedlibs = {
         luaL_Reg{LUA_GNAME, luaopen_base},
-        luaL_Reg{LUA_LOADLIBNAME, luaopen_package},
+        // - print - writes to stdout, should be replaced with a per-plugin log
-        luaL_Reg{LUA_COLIBNAME, luaopen_coroutine},
+        // - load, loadstring, loadfile, dofile - don't allow bytecode, *require* valid utf8 (which bytecode by design isn't)
+
+        // luaL_Reg{LUA_LOADLIBNAME, luaopen_package},
+        // - explicit fs access, probably best to make our own require() function
+
+        //luaL_Reg{LUA_COLIBNAME, luaopen_coroutine},
+        // - needs special support
         luaL_Reg{LUA_TABLIBNAME, luaopen_table},
-        luaL_Reg{LUA_IOLIBNAME, luaopen_io},
+        // luaL_Reg{LUA_IOLIBNAME, luaopen_io},
-        luaL_Reg{LUA_OSLIBNAME, luaopen_os},
+        // - explicit fs access, needs wrapper with permissions, no usage ideas yet
+        // luaL_Reg{LUA_OSLIBNAME, luaopen_os},
+        // - fs access
+        // - environ access
+        // - exit
         luaL_Reg{LUA_STRLIBNAME, luaopen_string},
         luaL_Reg{LUA_MATHLIBNAME, luaopen_math},
         luaL_Reg{LUA_UTF8LIBNAME, luaopen_utf8},
-        luaL_Reg{LUA_DBLIBNAME, luaopen_debug},
+        // luaL_Reg{LUA_DBLIBNAME, luaopen_debug},
-        luaL_Reg{NULL, NULL},
+        // - this allows the plugin developer to unleash all hell
     };
 
     for (const auto &reg : loadedlibs)
     {
-        if (meta.libraryPermissions.contains(QString(reg.name)))
+        luaL_requiref(L, reg.name, reg.func, int(true));
-        {
+        lua_pop(L, 1);
-            luaL_requiref(L, reg.name, reg.func, int(true));
-            lua_pop(L, 1);
-        }
     }
 }
 

src/widgets/settingspages/PluginsPage.cpp

@@ -93,28 +93,6 @@ void PluginsPage::rebuildContent()
         pl->addRow("Homepage", homepage);
         pl->addRow("License", new QLabel(plugin->meta.license));
 
-        QString libString;
-        for (const auto &library : plugin->meta.libraryPermissions)
-        {
-            if (!libString.isEmpty())
-            {
-                libString += ", ";
-            }
-            libString += library;
-        }
-        bool hasDangerous = plugin->meta.hasDangerousLibraries();
-        if (hasDangerous)
-        {
-            libString += "\nDetected potentially dangerous libraries used, be "
-                         "careful with this plugin";
-        }
-        auto *libs = new QLabel(libString);
-        if (hasDangerous)
-        {
-            libs->setStyleSheet("color: red");
-        }
-        pl->addRow("Used libraries", libs);
-
         QString cmds;
         for (const auto &cmdName : plugin->listRegisteredCommands())
         {