MTSR/minetest_modding_book
4
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
a0f0aabdac
minetest_modding_book/_en/quality/security.md

3.7 KiB
Raw Blame History

title layout root idx description redirect_from
Security default ../.. 7.25 Use LuaCheck to find errors /en/chapters/luacheck.html

Introduction

Security is very important in making sure that your mod doesn't cause the server owner to lose data or control.

Core Concepts

The most important concept in security is to never trust the user. Anything the user submits should be treated as malicious. This means that you should always check that the user has the correct permissions, that the give valid information, and they are otherwise allowed to do that action (ie: in range or an owner)

A malicious action isn't necessarily the modification or destruction of data, but can be accessing data they're not supposed to such as password hashes or private messages. This is especially bad if the server stores information such as emails or ages, which some may do for verification purposes.

Formspecs

Never Trust Submissions

Any users can submit almost any formspec with any values at any time.

Here's some real code found in a mod:

minetest.register_on_player_receive_fields(function(player, formname, fields)
    -- Todo: fix security issue here
    local name = player:get_player_name()
    if formname ~= "mymod:fs" then
        return
    end

    for key, field in pairs(fields) do
        local x,y,z = string.match(key, "goto_([%d-]+)_([%d-]+)_([%d-]+)")
        if x and y and z then
            player:setpos({ x=tonumber(x), y=tonumber(y), z=tonumber(z) })
            return true
        end
    end
end

Can you spot the issue? A malicious user could submit a formspec containing their own position values, allowing them to teleport to anywhere they wish to. This could even be automated using client modifications to essentially replicate the /teleport command with no need for a privilege.

The solution for this kind of issue is to use a Context, as shown in the formspecs chapter.

Time of Check isn't Time of Use

Any users can submit any formspec with any values at any time, except where the engine forbids it:

  • A node formspec submission will be blocked if the user is too far away.
  • From 5.0 onward, named formspecs will be blocked if they haven't been shown yet.

This means that you should check in the handler that the user meets the conditions for showing the formspec in the first place, and any corresponding actions.

The vulnerability caused by checking for permissions in the show formspec but not in the handle formspec is called Time Of Check is not Time Of Use (TOCTOU).

(Insecure) Environments

Minetest allows mods to request an unsandboxed environment, giving them access to the full Lua API.

Can you spot the vulnerability in the following?

local ie = minetest.request_insecure_environment()
ie.os.execute(("path/to/prog %d"):format(3))

String.format is a function in the global shared table String. A malicious mod could override this function and pass stuff to os.execute:

String.format = function()
    return "xdg-open 'http://example.com'"
end

The mod could pass something a lot more malicious than opening a website, such as giving a remote user control over the machine.

Some rules for using an insecure environment:

  • Always store it in a local and never pass it into a function.
  • Make sure you can trust any input given to an insecure function, to avoid the issue above. This means avoiding globally redefinable functions.