Enable safe Lua os.* functions

[Dezash]

Loads Lua Os library and disables the following functions:

• os.execute
• os.rename
• os.remove
• os.exit
• os.getenv
• os.tmpname

The following functions are enabled:

• os.clock
• os.date
• os.difftime
• os.setlocale
• os.time

These functions are much faster than MTA's substitute functions.
Here's how os.clock compares with getTickCount:

local startTime = getTickCount()
for i = 1, 1000000 do
    local a = getTickCount()
end
print("getTickCount", getTickCount() - startTime)

startTime = getTickCount()
for i = 1, 1000000 do
    local a = os.clock()
end
print("os.clock", getTickCount() - startTime)

Result:
INFO: getTickCount 3926
INFO: os.clock 418

Almost 10 times faster than getTickCount. Considering that functions such as getTickCount or getRealTime are often used onClientRender, this may allow scripters to slightly increase script performance.

This would also help accommodate people who have knowledge of Lua, but are new to MTA.

[qaisjp]

Thanks. Please move to InitSecurity and set as a disabled function

[CrosRoad95]

You should enable os.tmpname
Generate a name that can be used for a temporary file. This only generates a name, it does not open a file.

http://lua-users.org/wiki/OsLibraryTutorial
could be useful 🙄

[Dezash]

@CrosRoad95 os.tmpname returns a string with the full directory. It might be a security concern.

[Pirulax]

os.clock returns seconds, while getTickCount() returns ms

[Dezash]

@Pirulax it returns a float of 0.001 precision in seconds format, which is the same as milliseconds.

[Pirulax]

I dont know.
Tried to run os.clock() on repl.it, but it's wired a little bit there.
I dont have lua interpreter installed, so I cant test that.
But I remember that I've read something about os.clock() returning seconds only, and if I remembered it correctly, I've read that at math.randomseed() function on lua-users

[Dezash]

@Pirulax it does return seconds, but in 0.001 precision. Read the example from Lua documentation: http://lua-users.org/wiki/OsLibraryTutorial

[AlexTMjugador]

I'm just going to give my two cents here to @Dezash: wouldn't it be better to push the CLuaUtilDefs::DisabledFunction method to the Lua stack, instead of a nil value, to disable these unsafe OS library functions? That method logs an error and pushes false to the Lua stack, which states more clearly MTA's intent to disable those functions to the scripter. Just replacing them with a nil value, on the other hand, is a bit less clear at first hand.

I think (but I'm not sure, I'm not an active C++ developer who works with Lua) you can use lua_pushcfunction(m_luaVM, CLuaUtilDefs::DisabledFunction) to accomplish this, similarly to other disabled functions that follow.

[qaisjp]

@AlexTMjugador agreed. I did mention this in my review but I don't think he noticed 🙂

[Dezash]

Good idea, I missed qaisjp's note somehow.

changes done

[jushar]

We might want to disable os.setlocale as well as it changes the locale globally for the entire application. This could result in unwanted side effects.