Disabling infinite loops

I’ve got a system setup where users can input their own lua code and it will be sandboxed and ran, I’ve only just realised that this means they are also able to create infinite loops with something like ‘while true do end’ etc… I’ve spent a while thinking of ways I can disable this, I’d like to note that they function is created from a string so I could always replace all instances of the word ‘while’ with ‘if’ or something, but I feel this would be inconsistent and I might miss something.

I’ve spent a good amount of time looking at the debug.sethook function but I can’t for the life of me figure out how I might be able to disable these user made infinite loops in a better way, any ideas guys?


you know u can exit from loops by [LUA]break[/LUA].
But I will try to find out what you really want. But I dont know what is the function you have problem.

IMHO, you have to work with stuff like patterns (https://wiki.garrysmod.com/page/Patterns) and search for every kind of malicious code.

But keep in mind that LUA was not designed for this and working with huge patterns/huge haystacks is extremely expensive on resources side.

Thanks for the comments guys, I’ll explain in more detail what I mean: I have a system setup; where a 2d3d screen has some functions available such as PrintToScreen, this function will write text on the 2D3D layer, the player can code their own ‘chips’ for the screen so that when the entity is spawned it will execute the code they have entered such as, PrintToScreen(“Booting…”) and it will appear on the screen.

Because they are actually coding lua which is then turned from a string into a function, they have the ability to write stuff like functions, use if statements etc… but I would like to stop them from using while statements to crash the game whenever the entity is spawned.

Allowing players to run arbitrary code is extremely dangerous. If that was only client-side it’s OK somehow bc the only thing they could damage is themselves and their game client, but on server side people with some advanced LUA knowledge may run literally any code and you would never be able to control it because there’s a thing called obfuscation.

I know that someone’s done this in the past, and I think they did use debug.sethook, but… I guess I shouldn’t be posting. :confused:

Edit: Wiremod created an entirely new language for this kind of thing. Maybe you can just use that? (I think it was called Expression)

Thanks igodsewer, I am fully aware of the risks involved with providing users with a platform for running code, the code is sandboxed AND clientside only, it works by storing the code on the server where it is in string format (never turned into a function), when the player needs it they request it with a net message and it is made into a function on the clients end.

NeatNit: I was thinking about giving that a go but it seems much more complicated than giving players a sandboxed lua environment, if it’s what I have to do though I might check it out, cheers!

In that case you just need to make really much patterns and check for each one. I do not see any other ways to do that.
But if guy would really want to make malicious code he would do that and you won’t know about it. Just as with antivirus software - hackers release viruses first and then antivirus companies release security patches for viruses.

UPD: or go by this way but I’m not sure if anyone could ever implement that on LUA.

Alright, thanks again.

Forget about pattern matching or searching for malicious code, sorry but it’s a dumb idea. There’s an infinite number of ways to make an expression that’s always true and you can’t protect against it. Example:

[lua]a = 1
b = 2
while b ~= a do
b = b + 1

And this is only regarding endless loops. There’s other, much more dangerous things they can do, like literally everything that Lua can do in gmod.

If I were in your shoes I’d just start looking for ways to install Wiremod only for Expression 2 and maybe adapt it to fit your needs. The advantage is that a lot of people are already familiar with E2, it’s been proven to work, and (I’m assuming) already has malice protection built into it - or at the very least, isn’t exposed to “dangerous” actions.

I suggest you go to their official forum (which seems to be reddit - https://www.reddit.com/r/wiremod/) and ask about how to do this.

I get what you mean, thanks NeatNit. I’ll probably look to adapting E2 or something, but I think it’s worth mentioning that I used string.Replace to replace all instances of “while” with “if”, this means that the users aren’t able to create while loops anymore but they could still loop functions continuously with something like:

function Lag() 


I looked into wiremod and it looks like they run a Pcall to search for errors like stack overflows, I would love to do this but I have no idea how they are searching for errors without actually running the potentially dangerous code…

[lua]function infinity(_, i)
return i and (i + 1) or 1

for i in infinity do

(also if you’re going to make a language without loops you might as well not make it at all)

oh damn yea, forgot about that one. I guess I’ll just give up or do as you said and look into E2. Thanks for all the help :smiley:

[editline]14th October 2016[/editline]

Thanks for the help everyone, I’m going to create a new question quickly because I have another idea and if that doesn’t work I will move on. Cheers.