From d63ad75d91014018acd950b0a35e03e23c38e8cc Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 22 Jan 2025 16:32:35 -0600
Subject: [PATCH] lua: add "builtins" file to consolidate registration

Use a single array of built-ins and provide 2 functions for
registering them:

- SCLuaLoadBuiltIn: for loading built-in modules in sandboxed
  environments.

- SCLuaRequirefBuiltIns: registers built-in modules with the standard
  package tool, allows built-ins to be loaded by output scripts that are
  not restricted

I hope to refactor the sandbox so they can use SCLuaRequirefBuiltIns
as well.
---
 src/Makefile.am         |  2 ++
 src/output-lua.c        |  3 +++
 src/util-lua-builtins.c | 55 +++++++++++++++++++++++++++++++++++++++++
 src/util-lua-builtins.h | 26 +++++++++++++++++++
 src/util-lua-dataset.c  |  4 ++-
 src/util-lua-dataset.h  |  2 +-
 src/util-lua-sandbox.c  |  9 ++-----
 7 files changed, 92 insertions(+), 9 deletions(-)
 create mode 100644 src/util-lua-builtins.c
 create mode 100644 src/util-lua-builtins.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 9065c8d70910..72d0fe6276d0 100755
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -506,6 +506,7 @@ noinst_HEADERS = \
 	util-landlock.h \
 	util-logopenfile.h \
 	util-log-redis.h \
+	util-lua-builtins.h \
 	util-lua-common.h \
 	util-lua-dataset.h \
 	util-lua-dnp3.h \
@@ -1056,6 +1057,7 @@ libsuricata_c_a_SOURCES = \
 	util-logopenfile.c \
 	util-log-redis.c \
 	util-lua.c \
+	util-lua-builtins.c \
 	util-lua-common.c \
 	util-lua-dataset.c \
 	util-lua-dnp3.c \
diff --git a/src/output-lua.c b/src/output-lua.c
index 4cd1f5924425..001404b97f0d 100644
--- a/src/output-lua.c
+++ b/src/output-lua.c
@@ -25,6 +25,7 @@
 #include "suricata-common.h"
 #include "output-lua.h"
 
+#include "util-lua-builtins.h"
 #include "util-print.h"
 #include "util-unittest.h"
 #include "util-debug.h"
@@ -417,6 +418,7 @@ static int LuaScriptInit(const char *filename, LogLuaScriptOptions *options) {
     if (luastate == NULL)
         goto error;
     luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);
 
     int status = luaL_loadfile(luastate, filename);
     if (status) {
@@ -551,6 +553,7 @@ static lua_State *LuaScriptSetup(const char *filename)
     }
 
     luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);
 
     int status = luaL_loadfile(luastate, filename);
     if (status) {
diff --git a/src/util-lua-builtins.c b/src/util-lua-builtins.c
new file mode 100644
index 000000000000..c826df4d9f6d
--- /dev/null
+++ b/src/util-lua-builtins.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+#include "util-lua-builtins.h"
+#include "util-lua-hashlib.h"
+#include "util-lua-dataset.h"
+
+#include "lauxlib.h"
+
+static const luaL_Reg builtins[] = {
+    { "suricata.hashlib", SCLuaLoadHashlib },
+    { "suricata.dataset", LuaLoadDatasetLib },
+    { NULL, NULL },
+};
+
+/**
+ * \brief Load a Suricata built-in module in a sand-boxed environment.
+ */
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        if (strcmp(name, lib->name) == 0) {
+            lib->func(L);
+            return true;
+        }
+    }
+    return false;
+}
+
+/**
+ * \brief Register Suricata built-in modules for loading in a
+ *     non-sandboxed environment.
+ */
+void SCLuaRequirefBuiltIns(lua_State *L)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        luaL_requiref(L, lib->name, lib->func, 0);
+        lua_pop(L, 1);
+    }
+}
diff --git a/src/util-lua-builtins.h b/src/util-lua-builtins.h
new file mode 100644
index 000000000000..8f1865467663
--- /dev/null
+++ b/src/util-lua-builtins.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef SURICATA_UTIL_LUA_BUILTINS_H
+#define SURICATA_UTIL_LUA_BUILTINS_H
+
+#include "lua.h"
+
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name);
+void SCLuaRequirefBuiltIns(lua_State *L);
+
+#endif /* SURICATA_UTIL_LUA_BUILTINS_H */
diff --git a/src/util-lua-dataset.c b/src/util-lua-dataset.c
index 6af9ba5901e7..8d1956172637 100644
--- a/src/util-lua-dataset.c
+++ b/src/util-lua-dataset.c
@@ -120,11 +120,13 @@ static const luaL_Reg datasetlib[] = {
 };
 // clang-format on
 
-void LuaLoadDatasetLib(lua_State *luastate)
+int LuaLoadDatasetLib(lua_State *luastate)
 {
     luaL_newmetatable(luastate, "dataset::metatable");
     lua_pushvalue(luastate, -1);
     lua_setfield(luastate, -2, "__index");
     luaL_setfuncs(luastate, datasetlib, 0);
     luaL_newlib(luastate, datasetlib);
+
+    return 1;
 }
diff --git a/src/util-lua-dataset.h b/src/util-lua-dataset.h
index 2bf0efdddc75..ad551dd11c42 100644
--- a/src/util-lua-dataset.h
+++ b/src/util-lua-dataset.h
@@ -20,6 +20,6 @@
 
 #include "lua.h"
 
-void LuaLoadDatasetLib(lua_State *luastate);
+int LuaLoadDatasetLib(lua_State *luastate);
 
 #endif /* SURICATA_UTIL_LUA_DATASET_H */
diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c
index 8f63ed0ff74b..ffe8e5b5adc8 100644
--- a/src/util-lua-sandbox.c
+++ b/src/util-lua-sandbox.c
@@ -30,8 +30,7 @@
 
 #include "util-debug.h"
 #include "util-lua-sandbox.h"
-#include "util-lua-dataset.h"
-#include "util-lua-hashlib.h"
+#include "util-lua-builtins.h"
 
 #define SANDBOX_CTX "SANDBOX_CTX"
 
@@ -264,11 +263,7 @@ static int SCLuaSbRequire(lua_State *L)
 {
     const char *module_name = luaL_checkstring(L, 1);
 
-    if (strcmp(module_name, "suricata.dataset") == 0) {
-        LuaLoadDatasetLib(L);
-        return 1;
-    } else if (strcmp(module_name, "suricata.hashlib") == 0) {
-        SCLuaLoadHashlib(L);
+    if (SCLuaLoadBuiltIns(L, module_name)) {
         return 1;
     }