为lua构建沙盒环境

我们有时需要限制lua代码的运行环境,或者是让使用者不能访问到lua的一些全局函数.lua语言本身没有类似于C++, C#, Java那样的成员访问控制. 但lua提供了setfenv函数可以很灵活的处理各类权限问题

废话不多说, 看代码

1:  -- 创建沙盒

2:  function SpawnSandBox( )

3:

4:      local SandBoxGlobals = {}

5:

6:      -- 基础函数添加

7:      SandBoxGlobals.print             = print

8:      SandBoxGlobals.table             = table

9:      SandBoxGlobals.string             = string

10:      SandBoxGlobals.math               = math

11:      SandBoxGlobals.assert             = assert

12:      SandBoxGlobals.getmetatable    = getmetatable

13:      SandBoxGlobals.ipairs             = ipairs

14:      SandBoxGlobals.pairs             = pairs

15:      SandBoxGlobals.pcall             = pcall

16:      SandBoxGlobals.setmetatable    = setmetatable

17:      SandBoxGlobals.tostring        = tostring

18:      SandBoxGlobals.tonumber        = tonumber

19:      SandBoxGlobals.type            = type

20:      SandBoxGlobals.unpack             = unpack

21:      SandBoxGlobals.collectgarbage     = collectgarbage

22:      SandBoxGlobals._G                = SandBoxGlobals

23:

24:      return SandBoxGlobals

25:  end

26:

27:  -- 在沙盒内执行脚本, 出错时返回错误, nil表示正确

28:  function ExecuteInSandBox( SandBox, Script )

29:

30:      local ScriptFunc, CompileError = loadstring( Script )

31:

32:      if CompileError then

33:          return CompileError

34:      end

35:

36:      setfenv( ScriptFunc, SandBox )

37:

38:      local Result, RuntimeError = pcall( ScriptFunc )

39:      if RuntimeError then

40:          return RuntimeError

41:      end

42:

43:      return nil

44:  end

45:

46:  function ProtectedFunction( )

47:      print("protected func")

48:  end

49:

50:

51:  local SandBox = SpawnSandBox( )

52:

53:

54:  print ( "Response=", ExecuteInSandBox( SandBox, "table.foreach( _G, print )" ) )

55:

56:  print ( "Response=", ExecuteInSandBox( SandBox, "ProtectedFunction()" ) )

57:

58:  SandBox.ProtectedFunction = ProtectedFunction

59:

60:  print ( "Response=", ExecuteInSandBox( SandBox, "ProtectedFunction()" ) )

54行执行结果是

1:  _G    table: 00421258

2:  string    table: 00421050

3:  pairs    function: 00567F58

4:  collectgarbage    function: 005675F0

5:  unpack    function: 004217E8

6:  assert    function: 005675B0

7:  print    function: 00567830

8:  ipairs    function: 00567F28

9:  type    function: 004217A8

10:  tonumber    function: 00421768

11:  tostring    function: 00421788

12:  table    table: 00420DA8

13:  math    table: 004210C8

14:  setmetatable    function: 00421748

15:  getmetatable    function: 00567710

16:  pcall    function: 005677F0

17:  Response=    nil

54行由于没有注册这个全局函数, 因此无法访问
Response= [string "ProtectedFunction()"]:1: attempt to call global 'ProtectedFunction' (a nil value)

58行在全局环境中加上了这个函数,因此在60行访问正常
protected func

Response= nil