SecureLuaVirtualMachine - Controlled Execution Environment

HexadecimalLiker · January 28, 2024, 2:28pm

Sorry for the delay. Could you send the script that causes the error (Input) and the Logs? (They can be turned on from inside the SLVM module by setting SLVM_DEBUG_ENABLED to true)

fares14213 · January 28, 2024, 2:30pm

__index is the problem
Yes i have analyzed and he blocked in this script: (OOP)

local Signal = {}
Signal.__index = Signal
Signal.ClassName = "Signal"
function Signal.new()
	local self = setmetatable({}, Signal)

	self._pdending = nil
	self._gvdata = nil
	self._bindableEvent = Instance.new("BindableEvent")
	self:Initialize()

	return self
end

function Signal.newWith(be)
	local self = setmetatable({}, Signal)

	self._pdending = nil
	self._gvdata = nil
	self._bindableEvent = be
	self:Initialize()

	return self
end

function Signal:GetPending()
	return self._pdending
end

function Signal:Initialize()
	self._bindableEvent.Event:Connect(function(...)
		self._pdending = ...
	end)
end

function Signal:Fire(...)
	self._bindableEvent:Fire(...)
end

function Signal:Connect(handler)
	if type(handler) == "function" then
		return self._bindableEvent.Event:Connect(function(...)
			handler(...)
		end)
	end
	return "function?"
end
function Signal:ConnectParallel(handler)
	if type(handler) == "function" then
		return self._bindableEvent.Event:ConnectParallel(function(...)
			handler(...)
		end)
	end
	return "function?"
end
function Signal:Wait()
	return self._bindableEvent.Event:Wait()
end
function Signal:Destroy()
	if self._bindableEvent then
		self._bindableEvent:Destroy()
		self._bindableEvent = nil
	end
end
return Signal
--[[local Connection = {}
Connection.__index = Connection

function Connection.new(callback)
	return setmetatable({
		_Callback = callback
	}, Connection)
end

function Connection:Disconnect()
	self._Callback = nil
	setmetatable(self,nil)
end


local Signal = {}
Signal.__index = Signal

function Signal.new()
	return setmetatable({
		_Threads = {},
		Firing = false,
		_gvdata = {}
	}, Signal)
end

function Signal:Fire(...)
	for threadOrConnection,_Type in pairs(self._Threads) do
		if _Type == "Connection" then
			if threadOrConnection._Callback == nil then self._Threads[threadOrConnection] = nil else
				task.spawn(threadOrConnection._Callback,...)
			end
		elseif _Type == "ConnectOnce" then
			if threadOrConnection._Callback ~= nil then
				task.spawn(threadOrConnection._Callback,...)
				threadOrConnection:Disconnect()
			end
		elseif _Type == "Wait" then
			self._Threads[threadOrConnection] = nil
			task.spawn(threadOrConnection, ...)
		end
	end
end

function Signal:Wait(duration : number?)
	local Running = coroutine.running()
	self._Threads[Running] = "Wait"
	if duration then
		task.delay(duration, function(thread)
			local stillYielding = self._Threads[thread]
			if stillYielding then
				self._Threads[thread] = nil
				task.spawn(thread)
			end
		end, Running)
	end
	return coroutine.yield()
end

function Signal:Connect(callback: () -> ())
	local connection = Connection.new(callback)
	self._Threads[connection] = "Connection"
	return connection
end

function Signal:ConnectOnce(callback: () -> ())
	local connection = Connection.new(callback)
	self._Threads[connection] = "ConnectOnce"
	return connection
end

function Signal:Destroy()

	self._Connections = nil
	self._Yielding = nil
	self.Firing = nil
	setmetatable(self,{__index = function() return nil end})

end


return Signal--]]

HexadecimalLiker · January 28, 2024, 2:32pm

I am not getting any errors when running the script

And neither when running this below the script you sent:

Signal.new():Fire()

fares14213 · January 28, 2024, 2:37pm

You right, i guess it’s me i wrongly type something. I don’t have stack overflow anymore.
Thanks anyways!

KinderHSPVA · February 4, 2024, 12:03am

Is there a way I can allow players to require a specific ModuleScript and run a specific ModuleScript function?

HexadecimalLiker · February 4, 2024, 11:41am

Yes, using hooks and read hooks it is possible:

-- Assuming VM is a LuaVM object
local allowedModule = ... -- whatever module
local requiredAllowedModule = require(allowedModule)

VM:ReplaceClosure(require, function(module)
    assert(module == allowedModule, "module cannot be required")

    return requiredAllowedModule
end)

VM:AddReadHook(requiredAllowedModule, function(self, Index, NormalValue)
	if type(Index) == "string" then
		--// CheckCString should not be used in non c function hooks  
		if "someFunc" == Index then --> Replace someFunc with the function's index in the module
			return NormalValue
		end
	end
	
	error("cannot use function '" .. Index .. "' from module", 2)
end)

fares14213 · February 20, 2024, 7:51am

So my problem is Signal.__index = Signal because when i remove this line, this unlocks the script but it gives me error cause __index is important after. Any solution?
i enabled this settings:

LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleLoopInstructions)
	LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.ThrottleRecursiveCalls)
	LuaVM:EnableAdditionalSetting(SLVM.Enum.AdditionalSettings.SandboxCalls)

HexadecimalLiker · February 21, 2024, 12:08pm

I ran exactly the script you gave me, however if you did not find a solution to your problem, disable SandboxCalls although that is not recommended.

fares14213 · February 21, 2024, 12:11pm

I found a solution I have put the __index script inside of a module script.
But do you have a idea how to optimize the lua vm? Because i run a lot of script inside of the lua vm and i takes 4-5 minutes to load (very annoying)

HexadecimalLiker · February 22, 2024, 4:44pm

I am no longer actively updating this module. However feel free to give suggestions and I will do my best to implement them. I sadly cannot do much regarding the VM’s speed.

KinderHSPVA · March 7, 2024, 5:59pm

Any way to allow Instance.new(), but only for GuiObjects?

bluebxrrybot · March 7, 2024, 7:10pm

Set Instance to a new local variable before the rest of the script runs. You can regulate it yourself that way!

HexadecimalLiker · March 7, 2024, 7:22pm

For some reason I cannot send my answer

KinderHSPVA · March 7, 2024, 8:54pm

That’s ok! Send it when you can.

KinderHSPVA · March 19, 2024, 11:39pm

Hi, are you able to send the answer now?

HexadecimalLiker · March 20, 2024, 7:09am

Sorry for the delay;

One can use the roblox api dump https://github.com/MaximumADHD/Roblox-Client-Tracker/blob/roblox/Full-API-Dump.json and check if the object requested’s superclass is “GuiObject”. I cannot send a code snippet example right now, but I’ll send one when I’ll be available.

fares14213 · March 26, 2024, 4:43am

Have you any idea to improve performance in the slvmrules.AdditionalSettings.SandboxCalls function, cause when i disabling it, it runs more faster. But i want security?

SomeScripter3 · March 26, 2024, 6:08pm

If disabling that gives you performance then don’t worry about security

HexadecimalLiker · March 26, 2024, 9:36pm

No I sadly cannot make it any faster.

You could however block getfenv and debug.info

fares14213 · March 27, 2024, 4:11am

Ok no problem, your module is very nice, back to back my loadstring module was sht and lagging all the times and now with your module the situation has improved!