fix(scripting/exploit): Redefine os.system to prevent command execution on the server.

[ekaliclua]

Redefine os.execute to prevent command execution on the server

Goal of this PR

The goal of this PR is to redefine the os.execute function to prevent it from being used to execute commands on the server. This is done to enhance security by ensuring that no arbitrary system commands can be run through this function.

How is this PR achieving the goal

This PR achieves the goal by redefining the os.execute function to raise an error with a message indicating that the function has been disabled for security reasons. This prevents any attempt to use os.system to execute commands.

This PR applies to the following area(s)

• Server
• ScRT: Lua

Successfully tested on

Game builds: Latest stable build

Platforms: Windows, Linux

Checklist

• Code compiles and has been tested successfully.
• Code explains itself well and/or is documented.
• My commit message explains what the changes do and what they are for.
• No extra compilation warnings are added by these changes.

Fixes issues

/

[FabianTerhorst]

Can you make it depend on a ConVar? We can't do this by default without breaking preexisting scripts.

[p1u3o]

Can this not be tied to some kind of ace permission similar to ExecuteCommand?

Saying that, the current implementation of this can by bypassed by the various io.* functions

[AvarianKnight]

Would it not make more sense to just have a ConVar to turn on the use of a 'minimal lua os library' (only have access to clock, date, difftime, locale, and time) and another to completely disable the IO library (sv_minimalLuaOSLibrary and sv_disableLuaIOLibary) this would block a lot of "harmful" behavior (though the IO block can be worked around by other means, this would stop the possibility to abuse it in the most common runtime)