#49 - Proto authorization

49 - Proto authorization

Author: yogwoggf

.editorconfig

@@ -0,0 +1,6 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 4
+max_line_length = 128

packages/autorun-env/Cargo.toml

@@ -11,6 +11,7 @@ libloading = { workspace = true }
 anyhow = { workspace = true }
 retour = { workspace = true }
 cap-std = { workspace = true }
+rand = "0.8.5"
 
 autorun-core = { path = "../autorun-core" }
 autorun-types = { path = "../autorun-types" }

packages/autorun-env/api.json

@@ -346,6 +346,42 @@
 						}
 					]
 				},
+				{
+					"name": "isFunctionAuthorized",
+					"description": "Checks if a given function or stack level is authorized by the Autorun environment.",
+					"realm": "shared",
+					"parameters": [
+						{
+							"name": "funcOrLevel",
+							"type": "function | number",
+							"description": "The function to check or the stack level"
+						}
+					],
+					"returns": [
+						{
+							"type": "boolean",
+							"description": "True if the function/level is authorized, false otherwise"
+						}
+					]
+				},
+				{
+					"name": "isProtoAuthorized",
+					"description": "Checks if a given prototype is authorized by the Autorun environment. This can be used to verify if protos from VM events are from Autorun or not.",
+					"realm": "shared",
+					"parameters": [
+						{
+							"name": "proto",
+							"type": "proto",
+							"description": "The prototype to check"
+						}
+					],
+					"returns": [
+						{
+							"type": "boolean",
+							"description": "True if the prototype is authorized, false otherwise"
+						}
+					]
+				},
 				{
 					"name": "load",
 					"description": "Compiles a Lua string into a callable function without executing it. Similar to Lua's loadstring/load function. Use this to dynamically compile code at runtime. NOTE: The environment inside defaults to the global environment, NOT Autorun's environment.",

packages/autorun-env/src/env.rs

@@ -6,12 +6,13 @@ use autorun_log::*;
 use autorun_lua::{LuaApi, RawHandle};
 use autorun_luajit::{GCRef, LJState, index2adr};
 use autorun_types::{LuaState, Realm};
-use std::ffi::{CStr, c_int};
+use std::ffi::{CStr, CString, c_int};
 
 #[derive(Debug, Clone, Copy)]
 pub struct EnvHandle {
 	realm: Realm,
 	env_gcr: GCRef,
+	chunk_nonce: u64,
 	handle: RawHandle,
 }
 
@@ -165,13 +166,18 @@ impl EnvHandle {
 		lua.push(state, as_env_lua_function!(crate::functions::is_function_authorized));
 		lua.set_table(state, -3);
 
+		lua.push(state, c"isProtoAuthorized");
+		lua.push(state, as_env_lua_function!(crate::functions::is_proto_authorized));
+		lua.set_table(state, -3);
+
 		lua.push(state, c"VERSION");
 		lua.push(state, env!("CARGO_PKG_VERSION").to_string());
 		lua.set_table(state, -3);
 	}
 
 	pub fn execute(&self, lua: &LuaApi, state: *mut LuaState, name: &CStr, src: &[u8]) -> anyhow::Result<()> {
-		if let Err(why) = lua.load_buffer_x(state, src, name, c"t") {
+		let name = self.format_chunk_name(name)?;
+		if let Err(why) = lua.load_buffer_x(state, src, &name, c"t") {
 			anyhow::bail!("Failed to compile: {why}");
 		}
 
@@ -206,7 +212,25 @@ impl EnvHandle {
 		let env_gcr = unsafe { (*env_tvalue).gcr };
 
 		let handle = RawHandle::from_stack(lua, state).unwrap();
-		Ok(Self { realm, env_gcr, handle })
+		let chunk_nonce = rand::random::<u64>();
+		Ok(Self {
+			realm,
+			env_gcr,
+			chunk_nonce,
+			handle,
+		})
+	}
+
+	pub fn format_chunk_name(&self, base: &CStr) -> anyhow::Result<CString> {
+		let formatted = format!("{}-{}", self.chunk_nonce, base.to_str()?);
+		Ok(CString::new(formatted)?)
+	}
+
+	pub fn is_chunk_name_authorized(&self, chunk_name: &CStr) -> bool {
+		match chunk_name.to_str() {
+			Ok(name_str) => name_str.starts_with(&self.chunk_nonce.to_string()),
+			Err(_) => false,
+		}
 	}
 
 	fn push_autorun_table(&self, lua: &LuaApi, state: *mut LuaState) {

packages/autorun-env/src/functions/auth.rs

@@ -1,6 +1,6 @@
 use anyhow::Context;
 use autorun_lua::{DebugInfo, LuaApi};
-use autorun_luajit::{Frame, LJState, push_tvalue};
+use autorun_luajit::{Frame, GCProto, LJ_TPROTO, LJState, get_gcobj, index2adr, push_tvalue};
 use autorun_types::LuaState;
 
 pub fn is_function_authorized(lua: &LuaApi, state: *mut LuaState, env: crate::EnvHandle) -> anyhow::Result<bool> {
@@ -34,3 +34,23 @@ pub fn is_function_authorized(lua: &LuaApi, state: *mut LuaState, env: crate::En
 	env.is_function_authorized(lua, state, None)
 		.context("Failed to check function authorization.")
 }
+
+pub fn is_proto_authorized(_lua: &LuaApi, state: *mut LuaState, env: crate::EnvHandle) -> anyhow::Result<bool> {
+	// Protos dont play nice with the usual public API types, so we just have to do it manually
+	let lj_state = state as *mut LJState;
+	let lj_state = unsafe { lj_state.as_ref().context("Failed to dereference LJState")? };
+	let proto_tv = index2adr(lj_state, 1).context("Failed to get TValue for given index.")?;
+	let proto_tv = unsafe { &*proto_tv };
+
+	// TODO: When the stack spoof PR is merged, replace this with the new type check helper
+	if proto_tv.itype() != LJ_TPROTO {
+		anyhow::bail!("First argument must be a proto.");
+	}
+
+	let proto_gc = get_gcobj::<GCProto>(lj_state, 1).context("Failed to get GCProto for given index.")?;
+	let proto_chunk_name = proto_gc.chunk_name_str().context("Failed to get chunk name from proto.")?;
+	let proto_chunk_name_cstr =
+		std::ffi::CString::new(proto_chunk_name.clone()).context("Failed to convert chunk name to CString.")?;
+
+	Ok(env.is_chunk_name_authorized(&proto_chunk_name_cstr))
+}

packages/autorun-env/src/functions/load.rs

@@ -1,10 +1,11 @@
 use autorun_lua::{LuaApi, RawLuaReturn};
 use autorun_types::LuaState;
 
-pub fn load(lua: &LuaApi, state: *mut LuaState, _env: crate::EnvHandle) -> anyhow::Result<RawLuaReturn> {
+pub fn load(lua: &LuaApi, state: *mut LuaState, env: crate::EnvHandle) -> anyhow::Result<RawLuaReturn> {
 	let source = lua.check_string(state, 1);
 	let chunk_name = lua.to::<Option<&[u8]>>(state, 2).unwrap_or(b"loadstring");
 	let chunk_name = std::ffi::CString::new(chunk_name)?;
+	let chunk_name = env.format_chunk_name(&chunk_name)?;
 
 	if let Err(why) = lua.load_buffer_x(state, source.as_bytes(), &chunk_name, c"t") {
 		lua.push_nil(state);

packages/autorun-luajit/src/types/common.rs

@@ -1,5 +1,6 @@
 // Subset of lj_obj.h
 
+use anyhow::Context;
 use std::ffi::{c_int, c_void};
 
 // IMPORTANT: GMod's LUA_IDSIZE was randomly changed to 128 instead of 60 like in vanilla LuaJIT
@@ -27,7 +28,7 @@ pub trait IntoLJType {
 	const LJ_TYPE: u32;
 }
 
-pub type MSize = u64;
+pub type MSize = u32;
 pub type GCSize = u64;
 
 #[repr(C)]
@@ -276,15 +277,38 @@ pub struct GCState {
 	pub pause: MSize,
 }
 
-#[repr(C)]
+/// NOTE: Incompatibility with LuaJIT 2.1 here.
+/// 2.1 has the 'sid' field, while GMod's 2.1.0-beta3 does not.
+/// 2.1's hash field is a uint32_t, while GMod's is a MSize.
+#[repr(C, packed)]
 pub struct GCstr {
 	pub header: GCHeader,
-	pub udtype: u8,
+	pub reserved: u8,
 	pub unused: u8,
-	pub env: GCRef,
+	pub hash: MSize,
 	pub len: MSize,
-	pub metatable: GCRef,
-	pub align1: u32,
+	pub _padding: u32, // The two bytes (reserved + unused) causes major misalignment, so we need padding here
+}
+
+impl GCstr {
+	fn data(&self) -> *const u8 {
+		// payload is stored immediately after the GCstr struct
+		unsafe { (self as *const GCstr).add(1) as *const u8 }
+	}
+
+	fn as_bytes(&self) -> &[u8] {
+		unsafe { std::slice::from_raw_parts(self.data(), self.len as usize) }
+	}
+
+	pub fn as_str(&self) -> anyhow::Result<&str> {
+		if self.len == 0 || self.data().is_null() {
+			return Ok("");
+		}
+
+		let bytes = self.as_bytes();
+		let s = std::str::from_utf8(bytes).context("GCstr contains invalid UTF-8 data")?;
+		Ok(s)
+	}
 }
 
 impl IntoLJType for GCstr {
@@ -327,6 +351,50 @@ impl IntoLJType for GCUpval {
 
 pub type BCIns = u32;
 
+pub type BCLine = u32;
+
+#[repr(C)]
+#[derive(Debug, Clone, Copy)]
+pub struct GCProto {
+	header: GCHeader,
+	pub numparams: u8,
+	pub framesize: u8,
+	pub sizebc: MSize,
+	pub unused: u32,
+	pub gclist: GCRef,
+	pub k: MRef,
+	pub uv: MRef,
+	pub sizekgc: MSize,
+	pub sizekn: MSize,
+	pub sizept: MSize,
+	pub sizeuv: u8,
+	pub flags: u8,
+	pub trace: u16,
+	pub chunkname: GCRef,
+	pub firstline: BCLine,
+	pub numline: BCLine,
+	pub lineinfo: MRef,
+	pub uvinfo: MRef,
+	pub varinfo: MRef,
+}
+
+impl GCProto {
+	pub fn chunk_name_str(&self) -> anyhow::Result<&str> {
+		let chunk_name = unsafe {
+			self.chunkname
+				.as_ptr::<GCstr>()
+				.as_ref()
+				.context("Failed to dereference chunk name GCstr")?
+		};
+
+		chunk_name.as_str()
+	}
+}
+
+impl IntoLJType for GCProto {
+	const LJ_TYPE: u32 = LJ_TPROTO;
+}
+
 // Metamethod enum
 #[repr(u8)]
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]

plugins/std/src/shared/builtins.lua

@@ -98,6 +98,15 @@ bit = {
     ror = _G.bit.ror,
 }
 
+jit = {
+    attach = _G.jit.attach,
+    flush = _G.jit.flush,
+    on = _G.jit.on,
+    off = _G.jit.off,
+    status = _G.jit.status,
+    version = _G.jit.version,
+}
+
 assert = _G.assert
 collectgarbage = _G.collectgarbage
 dofile = _G.dofile