wml test for cve-2018-1999023

this test whether we succesfully prevent the exceution and parsing of precompiled lua chunks, which can be used to break the lua sandbox. This test does not cover all affected functions in particular not the ai code that loads lua chunks. (cherry-picked from commit 6b13a63bb0999e1c494a4236a5d565306db5a0b9)
2025-04-29 20:16:04 +00:00 · 2018-07-24 02:11:40 +02:00 · 2018-07-24 02:11:40 +02:00 · a414703946
commit a414703946
parent 120e8d9911
4 changed files with 34 additions and 0 deletions
--- a/data/test/scenarios/bytecode.lua
+++ b/data/test/scenarios/bytecode.lua
--- a/data/test/scenarios/test_cve_2018_1999023.cfg
+++ b/data/test/scenarios/test_cve_2018_1999023.cfg
@ -0,0 +1,29 @@
+{GENERIC_UNIT_TEST "cve_2018_1999023" (
+    [lua]
+        code = << pcall(function() wesnoth.dofile("test/scenarios/bytecode.lua") end) >>
+    [/lua]
+    [lua]
+        code = << pcall(function() wesnoth.require("test/scenarios/bytecode.lua") end) >>
+    [/lua]
+    [lua]
+        code = <<
+		local function f1()
+			bytecode_executed = true
+		end
+		local f2, err = load(string.dump(f1))
+		if f2 then
+			f2()
+		end
+		>>
+    [/lua]
+    [event]
+        name = prestart
+        [lua]
+        code = <<
+			wml.variables["execution_prevented"] = not rawget(_G, "bytecode_executed")
+        >>
+        [/lua]
+        {ASSERT ({VARIABLE_CONDITIONAL execution_prevented equals yes})}
+        {SUCCEED}
+    [/event]
+)}
--- a/data/test/scenarios/test_cve_2018_1999023_2.cfg
+++ b/data/test/scenarios/test_cve_2018_1999023_2.cfg
--- a/5
+++ b/5
@ -11,6 +11,11 @@
 0 fixed_lua_random_replay_with_sync_choice
 0 test_end_turn
 #
+# Security test
+#
+0 cve_2018_1999023
+1 cve_2018_1999023_2
+#
 # Test Check Victory (If this isn't working other tests may have dubious value)
 #
 2 check_victory_basic_timeout