Best method from in-addon scripting?

Hey,

So for a while I’ve liked the idea of offering an in-addon scripting system / engine for various scripts. For example: gterminal2 was set to ship with a lua based scripting system that could be run on the PC’s…
Now this is all well and good, but I’m having trouble thinking on ways this could be executed safely, what I mean is; how can I give users the ability to run various functions such as ‘print’ etc… without exposing lua functions like halo.add for cheating purposes.

My initial idea would be to work on a word whitelist system that means that if the script detects commands that don’t match a table (like {‘print’, ‘sound.play’}) but then there are issues regarding different spaces and maybe uses in-direct functions such as calling from the _G.

In short: Trying to think of a way to create an in-addon scripting engine for something like a PC (see: https://www.youtube.com/watch?v=jLnvrEk8qdo) without exposing risky functions that the player could use to cheat such as net functions / halo.add etc…

You should look into [http://wiki.garrysmod.com/page/Global/setfenv](You should look into http://wiki.garrysmod.com/page/Global/setfenv)

EDIT: Here’s a stupid example that might not even work:



local fn = CompileString("myFunction(123)")
setfenv(fn, { myFunction = print })
fn()
-- Will print "123", trying to access any other global than myFunction will result in nil value.


Thanks for the reply, not sure if I’m stupid but this function doesn’t make 100% sense to me, am on phone currently will re-read when I’m home. I’m guessing it creates a new environment where only certain functions are accessible?

Yes, it basically sets the new _G for a function and since _G contains all global variables, including global functions, this can be used for sandboxing.

Oh awesome :D, thanks for this!