fix(security): anchor Lua-supplied script paths inside game dir#49
Open
Taure wants to merge 5 commits into
Open
fix(security): anchor Lua-supplied script paths inside game dir#49Taure wants to merge 5 commits into
Taure wants to merge 5 commits into
Conversation
H1 (2026-05-19 audit): asobi_lua_config:build_modes_from_manifest/2 and
maybe_add_bots/3 both fed unmodified config.lua/match.lua path strings
into filename:join, then to file:read_file + Lua eval. A stray "../" in
config.lua's mode->script table (or in match.lua's bots.script) could
load any readable file as Lua. Body runs under the sandbox so OS syscalls
are still blocked, but the file body has full game.* access and can
exfiltrate state via broadcast/storage.
Fix: new safe_join/2 helper that
* rejects empty / absolute / "/"-starting / ".." / "." / empty-segment paths
* normalises via filename:absname and asserts the result is prefixed by
the absolute base directory + "/"
* returns {ok, AbsPath} on success, {error, Reason} otherwise
Applied at both call sites. maybe_add_bots now logs and skips the bot
config when the path is rejected, rather than crashing the loader.
Audit doc: docs/security_audit_2026_05_19.md.
LOW-severity advisory against cow_cookie:cookie/1 with no upstream patch. asobi_lua only pulls cowboy transitively for the lua_match HTTP hand-off and never calls cow_cookie:cookie/1 directly. Tracked in docs/security_audit_2026_05_19.md. Requires Taure/erlang-ci#62 (audit-ignores input). Temporarily pinned to the feature branch SHA.
GHSA-jfc2-q6qh-g5x8 (HIGH, multipart header buffer accumulation) hits cowboy versions >= 2.0.0, < 2.15.0. asobi_lua was inheriting the stale 2.13.0 pin transitively. Direct-pin cowboy 2.15.0 plus the standard cowlib/ranch override so rebar3 can resolve the package's "and"-syntax dep declarations. rebar3 audit -i GHSA-g2wm-735q-3f56 now reports 0 vulnerabilities (was 1: cowboy 2.13.0 HIGH).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the single High finding from the 2026-05-19 security audit.
Summary
asobi_lua_config:build_modes_from_manifest/2andmaybe_add_bots/3both fed Lua-supplied path strings (config.lua mode->script entries, match.lua'sbots.script) intofilename:jointhen on tofile:read_file+ Lua eval. A stray"../"in those strings could load any readable file as Lua. The body still runs under the sandbox so OS syscalls are blocked, but it has fullgame.*access and can exfiltrate state viabroadcast/storage.The new
safe_join/2helper:/-starting /.././ empty-segment paths.filename:absnameand asserts the result is prefixed by the absolute base directory +/.{ok, AbsPath}on success,{error, Reason}otherwise.Applied at both call sites.
maybe_add_botsnow logs and skips the bot config when the path is rejected, rather than crashing the loader.Test plan
asobi_lua_config_path_tests.erlcovering: valid relative, nested,.., nested-.., absolute, empty,.,//, trailing slash on baserebar3 eunit— 225 tests, 0 failuresrebar3 fmt --check,xref,dialyzercleanelp eqwalize-all— no new errors from this change (45 pre-existing remain across other modules)elp lint --module asobi_lua_config— no new warningsWhat is NOT in this PR
The audit's 3 Medium and 4 Low findings are deferred. Top items:
debug.*from the sandbox (one-line addition tostrip_dangerous_globals/1)do_with_timeout_results/3should usespawn_optwithmax_heap_sizelikebounded_eval/2handle_input(needs benchmarking vs ADR 0002)