1
0
forked from osmarks/potatOS

Merge pull request 'Add yet another sandbox escape' (#9) from 6_4/potatOS:master into master

Reviewed-on: osmarks/potatOS#9
This commit is contained in:
osmarks 2024-07-16 14:17:27 +00:00
commit 88469da2cb

View File

@ -43,6 +43,25 @@ local function scan_environment(fn)
if is_probably_filesystem(k) then return k end
end
local function scan_stack(thread)
local level = 1
while debug.getinfo(thread, level) do
local index = 1
repeat
local name, value = debug.getlocal(thread, level, index)
if is_probably_filesystem(value) then return value end
if type(value) == "function" then
local ok, value = pcall(harvest_upvalues, value)
if ok and value then return value end
ok, value = pcall(scan_environment, value)
if ok and value then return value end
end
index = index + 1
until not name
level = level + 1
end
end
local escapes = {
load_env = function()
local k = dgetfenv(load("")).fs
@ -59,7 +78,6 @@ local escapes = {
[=[]=]end),_]=======][=[==]=]})
[#[=======[==]=======]]return _
]=================][===[==]===]
if is_probably_filesystem(k) then return k end
end,
getfenv = function()
@ -91,6 +109,28 @@ local escapes = {
end
i = i + 1
end
end,
scan_most_threads = function()
if not debug then return end
if not (debug.getinfo and debug.getlocal) then return end
local running = coroutine.running()
local threads_to_scan = {}
local old_resume = coroutine.resume
coroutine.resume = function(...)
threads_to_scan[coroutine.running()] = true
threads_to_scan[...] = true
if ... == running then
coroutine.resume = old_resume
end
return old_resume(...)
end
sleep(0)
for thread, _ in pairs(threads_to_scan) do
if type(thread) == "thread" then
local ok, value = pcall(scan_stack, thread)
if ok and value then return value end
end
end
end
}