Skip to main content

Protect Scripts, Properly Use require

Why can require be a security risk?

Encrypted XXTouch script modules can be imported by other scripts or modules via require.
When your encrypted script is loaded via require, the global environment is untrusted; functions your script calls may have been replaced.

How to use require safely?

XXTouch guarantees some module functions are restored to their initial state before the script is loaded via require. This covers all functions in os, io, string, device, http, file, and table.

You can deep-copy the global environment into a module-local environment to safely call the above modules' functions. Example:

-- Put this at the very top of your script
local _ENV = table.deep_copy(_ENV)
-- script body below
--
-- Finally, you may return exported functions or constants

When a module is loaded via require, the global variable been_require is unconditionally set to true. You can use it to detect whether the current script is being loaded by require. Example:
```
-- Put this at the very top of your script
if been_require then
    return -- exit immediately if loaded via require
end
-- script body below
```

Why can require be a security risk?
How to use require safely?