From b5c6b523a39600b0c1c884fd12a25134979aef18 Mon Sep 17 00:00:00 2001
From: Ritchie Cunningham <ritchie@ritchiecunningham.co.uk>
Date: Sat, 1 Nov 2025 17:56:43 +0000
Subject: [PATCH] [Add] Closed some vulns allowing Lua to escape sandbox.

---
 common/src/lua_processor.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/common/src/lua_processor.cpp b/common/src/lua_processor.cpp
index 590ec16..1b003e5 100644
--- a/common/src/lua_processor.cpp
+++ b/common/src/lua_processor.cpp
@@ -11,6 +11,20 @@
 LuaProcessor::LuaProcessor(Session& context) {
   _lua.open_libraries(sol::lib::base, sol::lib::string, sol::lib::table);
 
+  /* Remove some dangerous functions from the base lib. */
+  _lua["dofile"]          = sol::nil;
+  _lua["loadfile"]        = sol::nil;
+  _lua["load"]            = sol::nil;
+  _lua["pcall"]           = sol::nil;
+  _lua["xpcall"]           = sol::nil;
+  _lua["collectgarbage"]  = sol::nil;
+  _lua["getmetatable"]    = sol::nil;
+  _lua["setmetatable"]    = sol::nil;
+  _lua["rawequal"]        = sol::nil;
+  _lua["rawget"]          = sol::nil;
+  _lua["rawset"]          = sol::nil;
+  _lua["rawlen"]          = sol::nil;
+
   /* Expose vfs_node struct members to Lua. */
   _lua.new_usertype<vfs_node>("vfs_node",
                               "name",       &vfs_node::name,