I am attempting to secure LUA on my game (players can create scripts in LUA). I've removed many functions to create a sandbox of sorts, (AKA removing os.execute function for example.) however, my game does use loading of scripts from other locations to make coding less redundant. Aka:
require("Scripts/Additional/Crafting") at the top of the file.
To me, this is fine, but I don't know the impact of leaving require/load/file.read() without restrictions as it is, or if possible to override it so that they cannot load or read a file from outside the server.
Right now I'm using NLUA (C#) with LUA5.2. I am removing the functions when I create the LUA state.
What I'd love to do, is keep LOAD/REQUIRE/etc but override it with an initial check before hand to make sure they are in the SCRIPT directory. The new function itself won't be editable (as I'll hard code it in C# with NLUA or make a separate file that is outside of a folder they cannot access).
Alternatively, I can run a quick check on the script via C# for these functions and validate the directories they use with a REGEX but was wondering if LUA can handle it itself.
Sorry if this isn't explained properly.
Lua >=5.2 has function environment
_ENVuseful to sandbox environment, like in your case. See http://lua-users.org/wiki/EnvironmentsTutorial