-- RestrictedExecution.lua (Part of the new Secure Headers implementation)
--
-- This contains the necessary (and sufficient) code to support
-- 'restricted execution' for code provided via attributes, intended
-- for use in the secure header implementations. It provides a fairly
-- isolated execution environment and is constructed to maintain local
-- control over the important elements of the execution environment.
--
-- Daniel Stephens (iriel@vigilance-committee.org)
-- Nevin Flanagan (alestane@comcast.net)
---------------------------------------------------------------------------

-- Localizes for functions that are frequently called or need to be
-- assuredly un-replaceable or unhookable.
local type = type;
local error = error;
local scrub = scrub;
local issecure = issecure;
local setfenv = setfenv;
local loadstring = loadstring;
local setmetatable = setmetatable;
local getmetatable = getmetatable;
local pcall = pcall;
local tostring = tostring;
local newproxy = newproxy;
local select = select;

local IsFrameHandle = IsFrameHandle;
local IsWritableRestrictedTable = IsWritableRestrictedTable;

---------------------------------------------------------------------------
-- RESTRICTED CLOSURES

local function SelfScrub(self)
    if (self ~= nil and IsFrameHandle(self)) then
        return self;
    end
    return nil;
end

-- closure, err = BuildRestrictedClosure(body, env, signature)
--
-- body      -- The function body (defaults to "")
-- env       -- The execution environment (defaults to {})
-- signature -- The function signature (defaults to "self,...")
--
-- Returns the constructed closure, or nil and an error
local function BuildRestrictedClosure(body, env, signature)
    body = tostring(body) or "";
    signature = tostring(signature) or "self,...";
    if (type(env) ~= "table") then
        env = {};
    end

    if (body:match("function")) then
        -- NOTE - This is overzealous but it keeps it simple
        return nil, "The function keyword is not permitted";
    end

    if (body:match("[{}]")) then
        -- NOTE - This is overzealous but it keeps it simple
        return nil, "Direct table creation is not permitted";
    end

    if (signature:match("function")) then
        -- NOTE - This is overzealous but it keeps it simple
        return nil, "The function keyword is not permitted";
    end

    if (not signature:match("^[a-zA-Z_0-9, ]*[.]*$")) then
        -- NOTE - This is overzealous but it keeps it simple
        return nil, "Signature contains invalid characters (" .. signature .. ")";
    end

    -- Include a \n before end to stop shenanigans with comments
    local def, err =
        loadstring("return function (" .. signature .. ") " .. body .. "\nend", body);
    if (def == nil) then
        return nil, err;
    end

    -- Use a completely empty environment here to be absolutely
    -- sure to avoid tampering during function definition.
    setfenv(def, {});
    def = def();
    -- Double check that the definition did infact return a function
    if (type(def) ~= "function") then
        return nil, "Invalid body";
    end
    -- Set the desired environment on the resulting closure.
    setfenv(def, env);

    -- And then return a 'safe' wrapped invocation for the closure.
    return function(self, ...) return def(SelfScrub(self), scrub(...)) end;
end

-- Max number of cached closures before cache dump, if this value proves
-- problematic we may wish to make it tunable.
local CLOSURE_CACHE_MAX = 1000;

-- factory = CreateClosureFactory(env, signature)
--
-- env -- The desired environment table for the closures
-- signature -- The function signature for the closures
--
-- Returns a 'factory table' which is keyed by function bodies, and
-- has restricted closure values. It's weak-keyed and uses an __index
-- metamethod that automatically creates necessary closures on demand.
local function CreateClosureFactory(env, signature)
    local newCache, oldCache = {}, {};
    local newCount = 0;

    local function metaIndex(t, k)
        if (type(k) == "string") then
            local closure = oldCache[k];
            if (not closure) then
                local newClosure, err = BuildRestrictedClosure(k, env, signature);
                if (newClosure) then
                    closure = newClosure;
                else
                    -- Put the error into a closure to avoid constantly
                    -- re-parsing it
                    err = tostring(err or "Closure creation failed");
                    closure = function() error(err) end;
                end
            end
            if (issecure()) then
                newCount = newCount + 1;
                if (newCount > CLOSURE_CACHE_MAX) then
                    -- The cache is full, rotate it
                    for ok in pairs(t) do
                        t[ok] = nil;
                    end
                    oldCache = newCache;
                    newCache = {};
                    newCount = 0;
                end

                newCache[k] = closure;
                t[k] = closure;
            end
            return closure;
        end
        error("Invalid closure body type (" .. type(k) .. ")");
        return nil;
    end

    local ret = {};
    setmetatable(ret, { __index = metaIndex });
    return ret;
end

---------------------------------------------------------------------------
-- RESTRICTED ENVIRONMENT
--
-- environment, manageFunc = CreateRestrictedEnvironment(baseEnvironment)
--
-- baseEnvironment -- The base environment table (containing functions)
--
-- environment     -- The new restricted environment table
-- manageFunc      -- Management function to set/clear working and proxy
--                    environments.
--
-- The management function takes two parameters
--    manageFunc(set, workingTable, controlHandle)
--
-- set is a boolean;  If it's true then the working table is set to the
-- specified value (pushing any previous environment onto a stack). If
-- it's false then the working table is unset (and restored from stack).
--
-- The working table should be a restricted table, or an immutable object.
--
-- The controlHandle is an optional object which is made available to
-- the restricted code with the name 'control'.
--
-- The management function monitors calls to get and set in order to prevent
-- re-entrancy (i.e. calls to get and set must be balanced, and one cannot
-- switch working tables in the middle).
local function CreateRestrictedEnvironment(base)
    if (type(base) ~= "table") then base = {}; end

    local working, control, depth = nil, nil, 0;
    local workingStack, controlStack = {}, {};

    local result = {};
    local meta_index;

    local function meta_index(t, k)
        local v = base[k] or working[k];
        if (v == nil) then
            if (k == "control") then return control; end
        end
        return v;
    end;

    local function meta_newindex(t, k, v)
        working[k] = v;
    end

    local meta = {
        __index = meta_index,
        __newindex = meta_newindex,
        __metatable = false;
        __environment = false;
    }

    setmetatable(result, meta);

    local function manage(set, newWorking, newControl)
        if (set) then
            if (depth == 0) then
                depth = 1;
            else
                workingStack[depth] = working;
                controlStack[depth] = control;

                depth = depth + 1;
            end
            working = newWorking;
            control = newControl;
        else
            if (depth == 0) then
                error("Attempted to release unused environment");
                return;
            end

            if (working ~= newWorking) then
                error("Working environment mismatch at release");
                return;
            end

            if (control ~= newControl) then
                error("Control handle mismatch at release");
                return;
            end

            depth = depth - 1;
            if (depth == 0) then
                working = nil;
                control = nil;
            else
                working = workingStack[depth];
                control = controlStack[depth];
                workingStack[depth] = nil;
                controlStack[depth] = nil;
            end
        end
    end

    return result, manage;
end

---------------------------------------------------------------------------
-- AVAILABLE FUNCTIONS
--
-- The current implementation has a single set of functions (aka a single
-- base environment), this initializes that environment by creating a master
-- base environment table, and then creating a restricted environment
-- around that. If the RESTRICTED_FUNCTIONS_SCOPE table exists when
-- this file is executed then its contents are added to the environment.
--
-- It is expected that any functions that are to be placed into this
-- environment have been carefully written to not return arbtirary tables,
-- functions, or userdata back to the caller.
--
-- One can use function(...) return scrub(realFunction(...)) end to wrap
-- those functions one doesn't trust.

-- A metatable to prevent tampering with the environment tables.
local LOCAL_No_Secure_Update_Meta = {
    __newindex = function() end;
    __metatable = false;
};

local LOCAL_Restricted_Global_Functions = {
    newtable = rtable.newtable;
    pairs = rtable.pairs;
    ipairs = rtable.ipairs;
    next = rtable.next;
    unpack = rtable.unpack;

    -- Table methods
    wipe = rtable.wipe;
    tinsert = rtable.insert;
    tremove = rtable.remove;

    -- Synthetic restricted-table-aware 'type'
    type = rtable.type;

    -- Restricted table aware gsub
    rtgsub = rtable.rtgsub;
};

-- A helper function to recursively copy and protect scopes
local function PopulateGlobalFunctions(src, dest)
    for k, v in pairs(src) do
        if (type(k) == "string") then
            local tv = type(v);
            if ((tv == "function") or (tv == "number") or (tv == "string") or (tv == "boolean")) then
                dest[k] = v;
            elseif (tv == "table") then
                local subdest = {};
                PopulateGlobalFunctions(v, subdest);
                setmetatable(subdest, LOCAL_No_Secure_Update_Meta);
                local dproxy = newproxy(true);
                local dproxy_meta = getmetatable(dproxy);
                dproxy_meta.__index = subdest;
                dproxy_meta.__metatable = false;
                dest[k] = dproxy;
            end
        end
    end
end

-- Import any functions initialized by other/earier files
if (RESTRICTED_FUNCTIONS_SCOPE) then
    PopulateGlobalFunctions(RESTRICTED_FUNCTIONS_SCOPE,
                            LOCAL_Restricted_Global_Functions);
    RESTRICTED_FUNCTIONS_SCOPE = nil;
end

local LOCAL_Table_Namespace = {
    table = {
        maxn = rtable.maxn;
        insert = rtable.insert;
        remove = rtable.remove;
        sort = rtable.sort;
        concat = rtable.concat;
        wipe = rtable.wipe;
        new = rtable.newtable;
    }
};

PopulateGlobalFunctions(LOCAL_Table_Namespace,
                        LOCAL_Restricted_Global_Functions);

-- Create the environment
local LOCAL_Function_Environment, LOCAL_Function_Environment_Manager =
    CreateRestrictedEnvironment(LOCAL_Restricted_Global_Functions);

-- Protect from injection via the string metatable index
-- Assume for now that 'string' is relatively clean
local strmeta = getmetatable("x");
local newmetaindex = {};
for k, v in pairs(string) do newmetaindex[k] = v; end
setmetatable(newmetaindex, {
                 __index = function(t,k)
                               if (not issecure()) then
                                   return string[k];
                               end
                           end;
                 __metatable = false;
             });
strmeta.__index = newmetaindex;
strmeta.__metatable = string;
strmeta = nil;
newmetaindex = nil;

---------------------------------------------------------------------------
-- CLOSURE FACTORIES
--
-- An automatically populating table keyed by function signature with
-- values that are closure factories for those signatures.

local LOCAL_Closure_Factories = { };

local function ClosureFactories_index(t, signature)
    if (type(signature) ~= "string") then
        return;
    end

    local factory = CreateClosureFactory(LOCAL_Function_Environment, signature);

    if (not issecure()) then
        error("Cannot declare closure factories from insecure code");
        return;
    end

    t[signature] = factory;
    return factory;
end

setmetatable(LOCAL_Closure_Factories, { __index = ClosureFactories_index });

---------------------------------------------------------------------------
-- FUNCTION CALL

-- A helper method to release the restricted environment environment before
-- returning from the function call.
local function ReleaseAndReturn(workingEnv, ctrlHandle, pcallFlag, ...)
    -- Tampering at this point will irrevocably taint the protected
    -- environment, for now that's a handy protective measure.
    LOCAL_Function_Environment_Manager(false, workingEnv, ctrlHandle);
    if (pcallFlag) then
        return ...;
    end
    error("Call failed: " .. tostring( (...) ) );
end

-- ? = CallRestrictedClosure(signature, workingEnv, onupdate, body, ...)
--
-- Invoke a managed closure, looking its definition up from a factory
-- and managing its environment during execution.
--
-- signature  -- function signature
-- workingEnv -- the working environment, must be a restricted table
-- ctrlHandle -- a control handle
-- body       -- function body
-- ...        -- any arguments to pass to the executing closure
--
-- Returns whatever the restricted closure returns
function CallRestrictedClosure(signature, workingEnv, ctrlHandle, body, ...)
    if (not IsWritableRestrictedTable(workingEnv)) then
        error("Invalid working environment");
        return;
    end

    signature = tostring(signature);
    local factory = LOCAL_Closure_Factories[signature];
    if (not factory) then
        error("Invalid signature '" .. signature .. "'");
        return;
    end

    local closure = factory[body];
    if (not closure) then
        -- Expect factory to have thrown an error
        return;
    end

    if (not issecure()) then
        error("Cannot call restricted closure from insecure code");
        return;
    end

    if (type(ctrlHandle) ~= "userdata") then
        ctrlHandle = nil;
    end

    LOCAL_Function_Environment_Manager(true, workingEnv, ctrlHandle);
    return ReleaseAndReturn(workingEnv, ctrlHandle, pcall( closure, ... ) );
end