为lua构建沙盒(SandBox)环境
我们有时需要限制lua代码的运行环境,或者是让使用者不能访问到lua的一些全局函数.lua语言本身没有类似于C++, C#, Java那样的成员访问控制. 但lua提供了setfenv函数可以很灵活的处理各类权限问题
废话不多说, 看代码
1: -- 创建沙盒
2: function SpawnSandBox( )
3:
4: local SandBoxGlobals = {}
5:
6: -- 基础函数添加
7: SandBoxGlobals.print = print
8: SandBoxGlobals.table = table
9: SandBoxGlobals.string = string
10: SandBoxGlobals.math = math
11: SandBoxGlobals.assert = assert
12: SandBoxGlobals.getmetatable = getmetatable
13: SandBoxGlobals.ipairs = ipairs
14: SandBoxGlobals.pairs = pairs
15: SandBoxGlobals.pcall = pcall
16: SandBoxGlobals.setmetatable = setmetatable
17: SandBoxGlobals.tostring = tostring
18: SandBoxGlobals.tonumber = tonumber
19: SandBoxGlobals.type = type
20: SandBoxGlobals.unpack = unpack
21: SandBoxGlobals.collectgarbage = collectgarbage
22: SandBoxGlobals._G = SandBoxGlobals
23:
24: return SandBoxGlobals
25: end
26:
27: -- 在沙盒内执行脚本, 出错时返回错误, nil表示正确
28: function ExecuteInSandBox( SandBox, Script )
29:
30: local ScriptFunc, CompileError = loadstring( Script )
31:
32: if CompileError then
33: return CompileError
34: end
35:
36: setfenv( ScriptFunc, SandBox )
37:
38: local Result, RuntimeError = pcall( ScriptFunc )
39: if RuntimeError then
40: return RuntimeError
41: end
42:
43: return nil
44: end
45:
46: function ProtectedFunction( )
47: print("protected func")
48: end
49:
50:
51: local SandBox = SpawnSandBox( )
52:
53:
54: print ( "Response=", ExecuteInSandBox( SandBox, "table.foreach( _G, print )" ) )
55:
56: print ( "Response=", ExecuteInSandBox( SandBox, "ProtectedFunction()" ) )
57:
58: SandBox.ProtectedFunction = ProtectedFunction
59:
60: print ( "Response=", ExecuteInSandBox( SandBox, "ProtectedFunction()" ) )
54行执行结果是
1: _G table: 00421258
2: string table: 00421050
3: pairs function: 00567F58
4: collectgarbage function: 005675F0
5: unpack function: 004217E8
6: assert function: 005675B0
7: print function: 00567830
8: ipairs function: 00567F28
9: type function: 004217A8
10: tonumber function: 00421768
11: tostring function: 00421788
12: table table: 00420DA8
13: math table: 004210C8
14: setmetatable function: 00421748
15: getmetatable function: 00567710
16: pcall function: 005677F0
17: Response= nil
54行由于没有注册这个全局函数, 因此无法访问
Response= [string "ProtectedFunction()"]:1: attempt to call global 'ProtectedFunction' (a nil value)
58行在全局环境中加上了这个函数,因此在60行访问正常
protected func
Response= nil
Response= nil