From 72b4ecdc36a18b99d7404067d51ef6eb438fc7d4 Mon Sep 17 00:00:00 2001
From: Zef Hemel <zef@zef.me>
Date: Sun, 19 Jan 2025 13:02:01 +0100
Subject: [PATCH] Blacklist shell syscalls in Lua for now (security)

---
 common/space_lua_api.ts |  4 ++--
 website/API/shell.md    | 12 ------------
 2 files changed, 2 insertions(+), 14 deletions(-)
 delete mode 100644 website/API/shell.md

diff --git a/common/space_lua_api.ts b/common/space_lua_api.ts
index 7f2ed42c..a2ae0349 100644
--- a/common/space_lua_api.ts
+++ b/common/space_lua_api.ts
@@ -26,10 +26,10 @@ export function buildLuaEnv(system: System<any>, scriptEnv: ScriptEnvironment) {
 function exposeSyscalls(env: LuaEnv, system: System<any>) {
   // Expose all syscalls to Lua
   // Except...
-  const exclude = ["template"];
+  const blacklist = ["template", "shell"];
   const nativeFs = new LuaStackFrame(env, null);
   for (const syscallName of system.registeredSyscalls.keys()) {
-    if (exclude.includes(syscallName)) {
+    if (blacklist.includes(syscallName)) {
       continue;
     }
     const [ns, fn] = syscallName.split(".");
diff --git a/website/API/shell.md b/website/API/shell.md
deleted file mode 100644
index 39184a9d..00000000
--- a/website/API/shell.md
+++ /dev/null
@@ -1,12 +0,0 @@
-The Shell API provides functions for running shell commands.
-
-### shell.run(cmd, args)
-Runs a shell command with the specified arguments.
-
-Example:
-```lua
-local result = shell.run("ls", {"-la"})
-print("Output: " .. result.stdout)
-print("Errors: " .. result.stderr)
-print("Exit code: " .. result.code)
-``` 
\ No newline at end of file