Solvable by #27
The worker manager contract, to my best knowledge, means that after all modules top level closures are called, the environment can be poisoned. However, if the environment is poisoned, then this opens up the sandbox's attack surface as sandboxed code MAY be able to call setfenv and trick unsandboxed code into unsafe calling or usage of globals. This is why it is recommended to localize globals before you use them in any code used by worker managers.
Also, the environment is cleared, so using globals after the setfenv(1, {}) call would cause an error.
Modules used by worker managers are cached by design:
|
-- Preload all darklua modules this script requires, so they can initialize all global variables they will use into local ones (because we clear the env). |
|
do |
|
Log.debug("Preloading modules...") |
|
|
|
-- selene: allow(undefined_variable) |
|
local modules = __DARKLUA_BUNDLE_MODULES -- Check .darklua.json |
|
for name, moduleClosure in modules do |
|
if name ~= "cache" then -- darklua places all modules, the load function, and cache table in the same table (we don't want to call cache and load). |
|
moduleClosure() |
|
end |
|
end |
|
end |
|
|
|
setfenv(1, {}) |
Solvable by #27
The worker manager contract, to my best knowledge, means that after all modules top level closures are called, the environment can be poisoned. However, if the environment is poisoned, then this opens up the sandbox's attack surface as sandboxed code MAY be able to call setfenv and trick unsandboxed code into unsafe calling or usage of globals. This is why it is recommended to localize globals before you use them in any code used by worker managers.
Also, the environment is cleared, so using globals after the
setfenv(1, {})call would cause an error.Modules used by worker managers are cached by design:
OpenSB/src/server/workerManager.server.luau
Lines 23 to 36 in 5852ada