[lua] Ask for permission to open a WebSocket from scripts

2024-10-06 06:50:07 +00:00 · 2021-10-07 19:37:10 -03:00 · 2021-10-07 19:37:10 -03:00 · 6e84bb5443
commit 6e84bb5443
parent b9241e6d91
4 changed files with 13 additions and 3 deletions
--- a/data/strings/en.ini
+++ b/data/strings/en.ini
@ -1377,11 +1377,13 @@ title = Security
 script_label = The following script:
 file_label = wants to access to this file:
 command_label = wants to execute the following command:
+websocket_label = wants to open a WebSocket connection to this URL:
 dont_show_for_this_access = Don't show this specific alert again for this script
 dont_show_for_this_script = Give full trust to this script
 allow_execute_access = &Allow Execute Access
 allow_write_access = &Allow Write Access
 allow_read_access = &Allow Read Access
+allow_open_conn_access = &Allow to Open Connections
 give_full_access = Give Script Full &Access
 stop_script = &Stop Script

--- a/src/app/script/security.cpp
+++ b/src/app/script/security.cpp
@ -136,6 +136,8 @@ bool ask_access(lua_State* L,
      return true;

    std::string allowButtonText =
+      mode == FileAccessMode::OpenSocket ?
+        Strings::script_access_allow_open_conn_access():
      mode == FileAccessMode::Execute ?
        Strings::script_access_allow_execute_access():
      mode == FileAccessMode::Write ?
@ -150,6 +152,7 @@ bool ask_access(lua_State* L,
      switch (resourceType) {
        case ResourceType::File: label = Strings::script_access_file_label(); break;
        case ResourceType::Command: label = Strings::script_access_command_label(); break;
+        case ResourceType::WebSocket: label = Strings::script_access_websocket_label(); break;
      }
      dlg.fileLabel()->setText(label);
    }
--- a/src/app/script/security.h
+++ b/src/app/script/security.h
@ -23,11 +23,13 @@ namespace script {
    Write = 2,
    Read = 4,
    Full = 7,
+    OpenSocket = 8,
  };

  enum class ResourceType {
    File,
    Command,
+    WebSocket,
  };

  int secure_io_open(lua_State* L);
--- a/src/app/script/websocket_class.cpp
+++ b/src/app/script/websocket_class.cpp
@ -1,6 +1,5 @@
 // Aseprite
-// Copyright (C) 2018-2020  Igara Studio S.A.
-// Copyright (C) 2018  David Capello
+// Copyright (C) 2021  Igara Studio S.A.
 //
 // This program is distributed under the terms of
 // the End-User License Agreement for Aseprite.
@ -13,6 +12,7 @@
 #include "app/console.h"
 #include "app/script/engine.h"
 #include "app/script/luacpp.h"
+#include "app/script/security.h"
 #include "ui/system.h"

 #include <ixwebsocket/IXNetSystem.h>
@ -39,6 +39,9 @@ int WebSocket_new(lua_State* L)
  if (lua_istable(L, 1)) {
    lua_getfield(L, 1, "url");
    if (const char* s = lua_tostring(L, -1)) {
+      if (!ask_access(L, s, FileAccessMode::OpenSocket, ResourceType::WebSocket))
+        return luaL_error(L, "the script doesn't have access to create a WebSocket for '%s'", s);
+
      ws->setUrl(s);
    }
    lua_pop(L, 1);
@ -180,7 +183,7 @@ const Property WebSocket_properties[] = {
  { nullptr, nullptr, nullptr }
 };

-} // namespace { }
+} // anonymous namespace

 using WebSocket = ix::WebSocket;
 DEF_MTNAME(WebSocket);