为lua构建沙盒环境

我们有时需要限制lua代码的运行环境,或者是让使用者不能访问到lua的一些全局函数.lua语言本身没有类似于C++,C#,Java那样的成员访问控制. 但lua提供了setfenv函数可以很灵活的处理各类权限问题

废话不多说,看代码

   1:  -- 创建沙盒

   2:  function SpawnSandBox( )

3:

   4:      local SandBoxGlobals = {}

5:

   6:      -- 基础函数添加

   7:      SandBoxGlobals.print             = print

   8:      SandBoxGlobals.table             = table

   9:      SandBoxGlobals.string             = string

  10:      SandBoxGlobals.math               = math

  11:      SandBoxGlobals.assert             = assert

  12:      SandBoxGlobals.getmetatable    = getmetatable

  13:      SandBoxGlobals.ipairs             = ipairs

  14:      SandBoxGlobals.pairs             = pairs

  15:      SandBoxGlobals.pcall             = pcall

  16:      SandBoxGlobals.setmetatable    = setmetatable

  17:      SandBoxGlobals.tostring        = tostring

  18:      SandBoxGlobals.tonumber        = tonumber

  19:      SandBoxGlobals.type            = type

  20:      SandBoxGlobals.unpack             = unpack

  21:      SandBoxGlobals.collectgarbage     = collectgarbage

  22:      SandBoxGlobals._G                = SandBoxGlobals

23:

  24:      return SandBoxGlobals

  25:  end

26:

  27:  -- 在沙盒内执行脚本,出错时返回错误,nil表示正确

  28:  function ExecuteInSandBox( SandBox,Script )

29:

  30:      local ScriptFunc,CompileError = loadstring( Script )

31:

  32:      if CompileError then

  33:          return CompileError

  34:      end

35:

  36:      setfenv( ScriptFunc,SandBox )

37:

  38:      local Result,RuntimeError = pcall( ScriptFunc )

  39:      if RuntimeError then

  40:          return RuntimeError

  41:      end

42:

  43:      return nil

  44:  end

45:

  46:  function ProtectedFunction( )

  47:      print("protected func")

  48:  end

49:

50:

  51:  local SandBox = SpawnSandBox( )

52:

53:

  54:  print ( "Response=",ExecuteInSandBox( SandBox,"table.foreach( _G,print )" ) )

55:

  56:  print ( "Response=","ProtectedFunction()" ) )

57:

  58:  SandBox.ProtectedFunction = ProtectedFunction

59:

  60:  print ( "Response=","ProtectedFunction()" ) )

54行执行结果是

   1:  _G    table: 00421258

   2:  string    table: 00421050

   3:  pairs    function: 00567F58

   4:  collectgarbage    function: 005675F0

   5:  unpack    function: 004217E8

   6:  assert    function: 005675B0

   7:  print    function: 00567830

   8:  ipairs    function: 00567F28

   9:  type    function: 004217A8

  10:  tonumber    function: 00421768

  11:  tostring    function: 00421788

  12:  table    table: 00420DA8

  13:  math    table: 004210C8

  14:  setmetatable    function: 00421748

  15:  getmetatable    function: 00567710

  16:  pcall    function: 005677F0

  17:  Response=    nil

54行由于没有注册这个全局函数,因此无法访问

Response= [string "ProtectedFunction()"]:1: attempt to call global 'ProtectedFunction' (a nil value)

58行在全局环境中加上了这个函数,因此在60行访问正常

protected func Response= nil