Protect scripts, safely accept require
Why can require be a security risk?
- Encrypted XXTouch script modules can be imported by other scripts or modules via require.
- When your encrypted script is loaded via require, the global environment is untrusted; functions your script calls may have been replaced.
How to use require safely?
- XXTouch guarantees some module functions are restored to initial states before require runs. This includes:
- All functions in modules: os, io, string, device, http, file, table.
- You can deep-copy the global environment into a module-local environment to safely call the above modules' functions.
- Example
-- Put this at the very top of your script
local _ENV = table.deep_copy(_ENV)
-- script body below
--
-- Finally, you may return exported functions or constants - Also, when a module is loaded via require, the global variable
been_requirewill be set to true unconditionally. - You can use this variable to detect whether you are being loaded by require.
- Example
-- Put this at the very top of your script
if been_require then
return -- exit immediately if loaded via require
end
-- script body below