[Bug]: Lua scripts should not be able to execute arbitrary shell commands
zkrising opened this issue · 3 comments
Is there an existing issue for this?
- I have searched the existing issues
Contact Details
justreplytotheissue
Version Info
Latest available release
What operating system are you seeing the problem on?
Linux (any distro)
Bug Behavior
Lua scripts, including those bundled with packs or charts, can trivially execute arbitrary shell commands via
os.system("any shell command here")
This is a huge security hole, as it means any SM pack you download or any file you play can do anything to your machine, such as deleting every file in your home directory, or mine dogecoin, etc.
While stepartists don't normally distribute malware with their packs, they easily can. a compromised/malicious mirror for existing packs could also insert malware where there wasn't any before.
Given that most people don't look inside packs for arbitrary .lua
files before loading them into the game, it would be trivial to use the shell to place malware outside of the pack, and then delete the .lua
files afterwards, leaving no trace of malware.
Expected Behavior
Lua scripts should be sandboxed and not be able to execute shell commands.
Reproduction Steps
put os.system("your command here")
in any lua script that the game will load.
you can make a simfile load a lua script on-gameplay using #FGCHANGES:0.000=script.lua=1.000=0=0=1;
.
Anything else?
this is used as a gimmick in lofty 3 exclusive edition
that file is actually credited to @poco0317, who is the maintainer of this project - is this intentional behaviour? if so, it's extremely dangerous intentional behaviour.
I will admit I created that file but my intention was not for it to be released in a pack. This problem exists in all SM lua (all versions of SM that load it.) and affects every way you can load it which includes themes, noteskins, bganimations, and charts.
Regardless .... duplicate #957
looks good!