LuaBridge icon indicating copy to clipboard operation
LuaBridge copied to clipboard

Published 20 hours ago verified publisher icon vinniefalco

Fix metatable security.

Open Mellnik opened this issue 2 years ago • 2 comments

From LuaBridge documentation:

Metatables have __metatable set to a boolean value. Scripts cannot obtain the metatable from a LuaBridge object.

According to Lua docuemtation the field must be set to prevent tampering with it. Setting it to nil as it is currently done, effectively does nothing.

I went back to LuaBridge 1.0.0 where is was still correctly a boolean. Since 1.0.2 it changed to nil.

This makes me wonder if there are more security issues with LuaBridge...

Edit: I forgot to mention that setting __metatable when constructing Namespace is missing completely. I've also added that to the PR.

Mellnik avatar Jan 19 '23 12:01 Mellnik

Can you add a unit test which fails with the original implementation and works with the change? I'll gladly help once I have time.

dmitry-t avatar Mar 04 '23 13:03 dmitry-t

The LuaBridge3 repo copied my fix last week + a unit test. Use that? https://github.com/kunitoki/LuaBridge3/commit/cca9b2f7785c918eba111f43f8f8ef177cffd19a

Mellnik avatar Mar 04 '23 14:03 Mellnik