WebConsole.lua: Simple Browser-based Lua Console for all Scripting Environments (+HTTP API)

[Actium]

TL;DR: This is an EXPERIMENTAL, interactive, browser-based Lua console with syntax highlighting for scripting in all of DCS' scripting environments. It explicitly supports mission scripting (no endless edit DO SCRIPT code, restart mission cycles). Install by copying WebConsole.lua into your Scripts/Hooks folder, start a DCS mission, and open the console in your web browser. Script return values are automatically serialized as human- and machine-readable JSON. Also supports non-interactive use through an HTTP API to issue DCS scripting commands from any programming language. Read below security advisory before installing!

I'm publishing it in its current state, because I already use it productively for mission scripting and I'm looking for feedback from the community. As it is experimental, there are no support or compatibility guarantees. Use at your own risk, feel free to break it, and don't hesitate to report any issues in this thread!

Features

• Easily run arbitrary code in all of DCS' scripting environments (called Lua states, accessed via net.dostring_in()). Currently, these include config, export, gui, mission, and server. Let me know if anything is missing.
  Access to the separate mission scripting environment (dubbed *a_do_script), where all DO SCRIPT code from the mission editor runs, is supported out of the box since DCS 2.9.13 (no modification of MissionScripting.lua required).
• Supports both clients and (dedicated) servers. Clients not also serving missions, e.g., from the mission editor, are restricted to the gui environment.
• Lua syntax highlighting and checking via an embedded code editor (ACE).
• Secure integration into mission scripting: Unlike other consoles, WebConsole.lua does not require disabling the sanitization in MissionScripting.lua.
• Serialization of complex return values into human- and machine-readable JSON. Interactive inspection of returned JSON objects (see screenshot). The serialization format is a work-in-progress, i.e., not stable. Beware of arrays starting with null.
  Alternatively serializing to Lua is feasible, but currently unimplemented. Feel free to implement and contribute it.
• HTTP API for non-interactive use from a programming language of your choice. Includes error handling and translation into appropriate HTTP status codes (Success -> 200 OK; Error -> 500 Internal Server Error). Note that the API is not stable and may change without notice.

Security Advisory

All DCS Lua consoles, e.g., dcs-witchcraft, DCS-BIOS, DCS Fiddle, DCS Lua Runner, DCS Code Injector, and mine, use a socket bound to localhost (127.0.0.1) to issue scripting commands to DCS. This socket is not accessible remotely, neither from the internet, nor from your local area network. However, the socket is open to any user or program on your local computer. Without a firewall in place, other users (and whatever software they run) can use the socket and Lua's os.execute() to escape DCS' Lua scripting, enabling arbitrary code execution with user permissions. This is a potential security vulnerability that could be exploited to access/steal your files, install malware, etc. Single-user computers are generally safe. However, multi-user systems are vulnerable, unless properly firewalled (or all co-users are absolutely trustworthy).

Do **NOT EVER** modify WebConsole.lua to bind the socket to 0.0.0.0 to enable remote scripting access, as this would enable remote code execution for anyone. If you want to use the console remotely you could, e.g.:

1. Set up a reverse HTTP(S) proxy that authenticates and encrypts all web console requests.
2. Use encrypted and authenticated port forwarding, e.g., via Secure Shell: ssh -L 8089:127.0.0.1:8089 user@server (yes, allegedly Windows supports OpenSSH)
3. Set up a VPN and bind the socket to the VPN interface IP address. Note that everyone on the VPN will be allowed access, unless firewall rules are in place.

Installation

1. Download WebConsole.lua, and copy it into your Scripts/Hooks folder, e.g., %USERPROFILE%\Saved Games\DCS.dcs_serverrelease\Scripts\Hooks\WebConsole.lua.
2. Optionally, configure its HTTP port by setting webconsole_port = 12345 in your %USERPROFILE%\Saved Games\DCS.*\Config\autoexec.cfg. Defaults to 8089.

Interactive Use

After installing as instructed below, start a mission (e.g., from the mission editor or on a server). Open http://127.0.0.1:8089/ (if using the default port) in your browser while the mission is running. Type code, press Execute, and check its return value. Rinse, repeat.
The console does not work while the mission/server is paused.

Non-Interactive Use

Exemplary curl command line to fetch server logs:

curl "http://127.0.0.1:8089/execute" -X POST \
-H "Accept: application/json" -H "Content-Type: application/lua" -H "X-Lua-State: gui" \
--data-raw "return {DCS.getLogHistory()}"

Exemplary Windows PowerShell code to fetch list of currently connected players from a server:

(Invoke-WebRequest `
-Uri http://127.0.0.1:8089/execute -Method POST `
-Headers @{"Accept" = "application/json"; "X-Lua-State" = "gui"} `
-ContentType "application/lua" `
-Body "local players = {}
for _, id in ipairs(net.get_player_list()) do
    players[#players + 1] = net.get_player_info(id)
end
return players").Content

Screenshots

Web console used to retrieve and display the contents of the global variable world in the mission scripting environment:

The web console can also be used to recursively dump all global variables via return _G. Note that doing so will freeze the server until serialization and HTTP transfer have completed. To avoid browser performance issues, the result display is truncated. The entire result can be saved to a file.
Serializing to JSON has the benefit of being able to use web development tools, like the interactive JSON inspectors included in, e.g., Firefox and Chrome. Click the Open button to open the result in a new window:

Edited Thursday at 05:39 PM by Actium

[Actium]

The newest DCS update to 2.9.13.6816 brought a significant change to a_do_script():

Quote

Scripting API. Added possibility to pass args and return values from mission scripting a_do_script() and a_do_file() APIs.

This newly introduced return value pass-thru obviates the workaround I had implemented to get return values from a_do_script() via a temporary file. This implies that modification of MissionScripting.lua is no longer necessary. You may remove the modification manually or by repairing DCS via the updater.
As a pleasant side-effect, installation is now significantly easier. Drop WebConsole.lua in the Scripts\Hooks folder and you're set.

I also improved the description for clarity.