Time Nick Message 01:43 Guest41 Hello 01:47 MTDiscord hi 12:32 kilbith we've got a winner here: https://content.minetest.net/threads/1563/ 12:45 sfan5 storing the http api in a global variable does seem unwise 12:47 kilbith is someone able to demonstrate some practical examples of security exploits? 12:47 kilbith because for instance, I haven't seen it 12:47 rubenwardy that is a security issue, it effectively disables secure.http_mods 12:47 kilbith skinsdb is storing http in a global too 12:47 kilbith in the mod namespace as well 12:47 kilbith like many other mods 12:47 rubenwardy it's not as bad as exposing insecure environments, but it's not good practice 12:49 kilbith so a mod could exploit i3.http without being registered in secure.http_mods, correct? 12:50 kilbith if that so, what kind of data could be exploited? how dangerous it could be for the user? 12:54 rubenwardy the setting exists so that users can be informed about which mods have internet access, as this in itself has performance/privacy/security concerns 12:54 rubenwardy other mods making the same mistake isn't an excuse 12:55 kilbith if by "sensible data" you mean you can http-send that "one player has 10 diamonds in some chest", I can only laugh at that 12:55 rubenwardy I'd like there to be a dialog for HTTP mods at Select Mod time 12:55 kilbith * sensitive 12:55 rubenwardy and the ability to request_http_api() from a dofile 12:56 rubenwardy the latter one would make it more convenient to not store it in a global 12:58 sfan5 if you'd like a more realistic example a mod could leak chat and/or private message 12:58 kilbith waaaw 12:58 sfan5 or track user's IPs and send them somewhere 12:58 sfan5 or misuse the server's computing power to minute whatever cryptocurrency 12:59 kilbith but websites are already tracking our IPs 12:59 sfan5 you seem to think that is an excuse 12:59 kilbith private messages or chat = lol 13:00 sfan5 it's okay if you do not care about your users privacy but then you should state that clearly in the README 13:00 kilbith Minetest isn't the place to share some confidential data about your lofe 13:00 kilbith life 13:01 sfan5 like I said just state it in your readme so your users are informed 13:01 sfan5 they can then judge themselves whether they agree 13:02 rubenwardy btw, to pass secure object into another dofile you can do: `assert(loadfile(path .. "file.lua"))(http_api)` 13:02 rubenwardy then `local http = ...` 13:02 rubenwardy if you have more than one thing you want to be local to your mod, you can make a `local shared` in the mod's init.lua 13:04 kilbith `local shared`? 13:04 kilbith never heard of that 13:04 kilbith you are not saying that `shared` is a Lua keyword, right? 13:05 rubenwardy I mean `local shared = { http = minetest.request_http_api(), other_thing = 3 }` 13:06 sfan5 rubenwardy: btw have you considered CDB running an automated test with the mod installed? 13:06 sfan5 (not related to this, just in general) 13:08 rubenwardy I have yeah 13:09 rubenwardy my problem with that would be running untested code, even if Minetest has a sandbox 13:09 rubenwardy would also require a CLI interface for installing the mods, with the dependencies 13:09 rubenwardy but it's possible 13:09 rubenwardy you could have a different VPS for untrusted mods I guess 13:09 rubenwardy s/untrusted mods/testing the mods/ 13:10 sfan5 containers / OS sandboxes? 13:15 sfan5 if you need inspiration there's this https://github.com/minetest/minetest/blob/master/util/test_multiplayer.sh 13:15 sfan5 even less code if you test without a client 17:25 MTDiscord Minetest mod security is a scam 17:25 MTDiscord Let one mod out of the sandbox and they will all be able to 17:33 celeron55 it's not a scam, it's just what has been possible with the resources we have had 17:33 celeron55 also, can someone point me to a game that sandboxes each of its mods individually 17:49 MTDiscord There are 17:49 MTDiscord And it would have been possible in Lua if a proper interface for require had been created and each mod were loaded in it's own environment 17:52 MTDiscord The current problem is that everything goes through a possibly dirty global table. Builtins, which are essential for even loading your code (unless it's all in init.lua), callbacks, Minetest engine functions, everything. 17:57 erlehmann come on 17:57 erlehmann as soon as you have turing complete stuff you can't effectively sandbox it 17:57 erlehmann minetest could improve, yeah 17:57 erlehmann but stop claiming sandboxing solves everything 17:58 erlehmann luatic as long as mod code can overflow the stack on the server or cause integer overflows, mod security should be the least of worries 17:59 erlehmann i mean as long as you are not running 5.3 18:00 erlehmann luatic but if you are running 5.3 users can probably take over your server in other ways than injecting lua … 18:23 sfan5 ah yes, the eternal RCE meme 18:45 MTDiscord show me RCE exploiting an integer overflow 18:45 MTDiscord or at least show me exploitable crash 18:49 sfan5 writing a successful, reliable remote exploit is very hard in the age of numerous hardening measures being enabled in applications, libraries and kernels by default 18:50 sfan5 more likely and much easier are injection vulnerabilities 18:50 sfan5 but I wouldn't say it's likely for one to exist in the engine 18:50 luk3yx btw, to pass secure object into another dofile you can do: `assert(loadfile(path .. "file.lua"))(http_api)` 18:51 luk3yx I advise against doing that with the insecure environment (minetest.request_insecure_environment), with the HTTP API it's probably fine thogh 18:51 luk3yx *though 18:51 sfan5 why/why not? 18:52 luk3yx I could change loadfile from another mod 18:52 sfan5 that is true and one of the shortcomings 18:53 sfan5 if you have the insecure env you can use loadfile from there anyway 18:53 luk3yx The HTTP API already calls minetest.add_http_fetch or something similar so is vulnerable anyway 18:54 luk3yx Maybe there should be a get_modpath function in the insecure environment as well 18:59 sfan5 huh that's a problem I wasn't aware of 19:05 sfan5 maybe some globals really need protection from modification 19:05 sfan5 don't know how feasible this is in lua however 19:06 celeron55 https://www.lua.org/pil/13.4.5.html 19:06 celeron55 using a metatable (obviously - it's lua after all) 19:07 sfan5 can't people just setmetatable that away 19:07 celeron55 hmm 19:08 celeron55 a metatable for the global environment? lol 19:08 celeron55 a metatable is always the solution, you just have to figure out where you put it 19:10 celeron55 my bet is, some day MT will have a way to make a mod have its own environment and be callable only by basically an RPC, and then everyone will simultaneously love and hate it 19:11 celeron55 it's going to be janky as hell to use, but won't have those kinds of silly leaks 19:12 celeron55 people don't realize how nice they have it with the single lua environment 19:14 MTDiscord single lua environment is pretty nice indeed 19:14 MTDiscord i think we only need separate environments for "trusted" mods 19:16 MTDiscord that way, if your mod for some reasons needs to go out of sandbox, people will suffer to use it, but it's fine 19:16 celeron55 that's true, it would be basically like rust's unsafe 19:17 celeron55 it would also allow multithreading as another reason to use it 19:17 celeron55 or maybe not 19:17 celeron55 well, depends, but safety is only one reason for wanting to use a separate environment 19:21 celeron55 or, implement 19:48 MTDiscord "a metatable for the global environment", well not first or second time I've told someone that MT should stop playing luacheck... I mean mod env metatable for index/newindex. 19:49 MTDiscord just my opinion and just because I had one (and still have) :) 19:51 MTDiscord best to only use rawget for every global var access from mods (bad joke but yeah would love to see that hack disappear) 20:33 MTDiscord luk3yx: You would've used [off] in vain. The Discord bridge doesn't discard messages starting with [off]. 20:35 MTDiscord logging still does 20:35 MTDiscord so not in vain 20:36 MTDiscord *completely 20:36 MTDiscord But celeron55: No, setting a metatable on the global table is insufficient as (1) there's always rawset & rawget and (2) a metatable can't prevent changing fields. You really need to provide load each mod in it's own environment for them to be isolated. 20:37 MTDiscord And yes, while a single Lua environment may be pretty nice, require would be even nicer. 20:38 celeron55 is there a proof of concept PR of this require that you're talking about? 20:38 MTDiscord "as soon as you have turing complete stuff you can't effectively sandbox it" - wrong, IMO 20:39 MTDiscord there is no such PR yet 20:47 rubenwardy sfan5: __metatable prevents changing the metatable 21:02 MTDiscord only if debug.setmetatable is not exposed 21:35 luk3yx I think that MT should just expose some functions (such as get_modpath) in the insecure environment and put the responsibility of using them properly onto mods that need it 21:36 luk3yx That way the majority of mods that don't need the insecure environment don't have to live with any metatable-related issues/performance hits that might arise 21:38 luk3yx Though that would make it easy for mods to accidentally use the wrong function and create a security issue 22:00 luk3yx Maybe loading mods that are in secure.trusted_mods first would work (at least during load time), but then that wouldn't work if they depended on any mod not in secure.trusted_mods 22:01 sfan5 solution: don't load mods you don't trust 22:02 MTDiscord solution: don't load mods 22:23 MTDiscord I mean, I am all for separate lua contexts. For example, a lua-only mapgen with multithreading, so each thread has its own lua context. That would help with map generation significantly for lua based mapgens. 22:24 MTDiscord Or using the client-side lua for physics calculations so that we have client side boat or cart or flying or racing mechanics 22:24 MTDiscord etc. etc. Ideally I think we could fire off lua contexts with a single text block and then we poll for a flag or provide a callback for when it finishes 22:36 MTDiscord the tough part about separate lua contexts is that all calls between them need to be serialized as messages, which will have performance consequences, and many things like functions cannot be serialized, so there would be serious limitations to cross-mod dependency injection or callback APIs. 22:44 MTDiscord Functions can be serialized 22:44 MTDiscord Its a security risk, but its possible 23:12 kilbith http://sprunge.us/6rHnnR 23:12 kilbith phew. 23:35 kilbith MineClone2 is about half the size of the engine in terms of LOC: http://sprunge.us/mBw6Gw 23:37 kilbith and Dreambuilder is 151 KLOC (Lua), that's bigger than the engine 23:39 MTDiscord taking a sudden interest in comparing game sizes? 23:52 MTDiscord anyways, seems interesting the only two servers running i3 are two separate games that use it 23:52 erlehmann the only *public* servers 23:53 erlehmann show me RCE exploiting an integer overflow 23:53 erlehmann lol 23:53 erlehmann more likely and much easier are injection vulnerabilities 23:53 erlehmann but I wouldn't say it's likely for one to exist in the engine 23:54 erlehmann sfan5, the one that has been fixed was funny though, i think in-game items have no business executing arbitrary code. 23:54 MTDiscord well duh im talking about public servers 23:58 MTDiscord I use i3 on mesecraft, wich is a mod soup 23:58 MTDiscord centeria is the server, mesecraft is the game 23:59 MTDiscord Tho I have modded mesecraft enough that at some point I may have to change the name