changing shellscripts to lua scripts for safety and control

cmd/packets/main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/BurntSushi/toml"
 	"github.com/klauspost/compress/zstd"
 	"github.com/schollz/progressbar/v3"
+	lua "github.com/yuin/gopher-lua"
 	"golang.org/x/net/ipv4"
 	_ "modernc.org/sqlite"
 )
@@ -534,6 +535,16 @@ func Install(packagepath string, serial uint) error {
 
 	// TODO LUA SCRIPT
 
+	L := lua.NewState()
+	defer L.Close()
+
+	L.SetGlobal("packets_package_dir", lua.LString(cfg.Config.DataDir))
+	L.SetGlobal("packets_bin_dir", lua.LString(cfg.Config.BinDir))
+
+	if err := L.DoFile(manifest.Hooks.Install); err != nil {
+		log.Panic(err)
+	}
+
 	fmt.Printf("Package %s fully installed\n", name)
 
 	var insert = Installed{

go.mod

@@ -4,8 +4,9 @@ go 1.24.4
 
 require (
 	github.com/BurntSushi/toml v1.5.0
+	github.com/klauspost/compress v1.18.0
 	github.com/schollz/progressbar/v3 v3.18.0
-	github.com/ulikunitz/xz v0.5.12
+	github.com/yuin/gopher-lua v1.1.1
 	golang.org/x/net v0.41.0
 	modernc.org/sqlite v1.38.0
 )

go.sum

@@ -10,6 +10,8 @@ github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17k
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
@@ -28,8 +30,8 @@ github.com/schollz/progressbar/v3 v3.18.0 h1:uXdoHABRFmNIjUfte/Ex7WtuyVslrw2wVPQ
 github.com/schollz/progressbar/v3 v3.18.0/go.mod h1:IsO3lpbaGuzh8zIMzgY3+J8l4C8GjO0Y9S69eFvNsec=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
-github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
+github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
 golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=

internal/internal.go

@@ -6,10 +6,12 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 
 	"github.com/BurntSushi/toml"
 	"github.com/klauspost/compress/zstd"
+	lua "github.com/yuin/gopher-lua"
 )
 
 type ConfigTOML struct {
@@ -80,7 +82,7 @@ func ManifestReadXZ(path string) (*Manifest, error) {
 
 			var manifest Manifest
 
-			decoder.Decode(manifest)
+			decoder.Decode(&manifest)
 
 			return &manifest, nil
 		}
@@ -117,3 +119,85 @@ func DefaultConfigTOML() *ConfigTOML {
 	}
 
 }
+
+func IsSafe(str string) bool {
+	s, err := filepath.EvalSymlinks(filepath.Clean(str))
+	if err != nil {
+		return false
+	}
+	var cfg ConfigTOML
+	toml.DecodeFile(filepath.Join(PacketsPackageDir(), "config.toml"), &cfg)
+
+	if strings.HasPrefix(s, cfg.Config.DataDir) || strings.HasPrefix(s, cfg.Config.BinDir) {
+		return true
+
+	} else if strings.Contains(s, ".ssh") {
+		return false
+
+	} else if strings.HasPrefix(s, "/etc") {
+		return false
+
+	} else if strings.HasPrefix(s, "/usr") || strings.HasPrefix(s, "/bin") {
+
+		return strings.HasPrefix(s, "/usr/share")
+
+	} else if strings.HasPrefix(s, "/var/mail") {
+		return false
+
+	} else if strings.HasPrefix(s, "/proc") {
+		return false
+
+	} else if strings.HasPrefix(s, "/sys") {
+		return false
+
+	} else if strings.HasPrefix(s, "/var/run") || strings.HasPrefix(s, "/run") {
+		return false
+
+	} else if strings.HasPrefix(s, "/tmp") {
+		return false
+
+	} else if strings.HasPrefix(s, "/dev") {
+		return false
+
+	} else if strings.HasPrefix(s, "/boot") {
+		return false
+
+	} else if strings.HasPrefix(s, "/home") {
+		if strings.Contains(s, "/Pictures") || strings.Contains(s, "/Videos") || strings.Contains(s, "/Documents") || strings.Contains(s, "/Downloads") {
+			return false
+		}
+
+	} else if strings.HasPrefix(s, "/lib") || strings.HasPrefix(s, "/lib64") || strings.HasPrefix(s, "/var/lib64") || strings.HasPrefix(s, "/lib") {
+		return false
+
+	} else if strings.HasPrefix(s, "/sbin") {
+		return false
+
+	} else if strings.HasPrefix(s, "/srv") {
+		return false
+
+	} else if strings.HasPrefix(s, "/mnt") {
+		return false
+
+	} else if strings.HasPrefix(s, "/media") {
+		return false
+	} else if strings.HasPrefix(s, "/snap") {
+		return false
+	}
+
+	return true
+}
+
+func safeRemove(L *lua.LState) int {
+	path := L.CheckString(1)
+	if !strings.HasPrefix(path, safeBase) {
+		L.Push(lua.LString("acesso negado"))
+		return 1
+	}
+	err := os.Remove(path)
+	if err != nil {
+		L.Push(lua.LString(err.Error()))
+		return 1
+	}
+	return 0
+}