+1 vote

I was reading up on modding support for godot, and got to the conclusion that it is certainly possible, only problem is if you allow GDscripts to be executed from mods it allows anyone to make malicious code (deleting files from the system, executing arbitrary code, etc)

Would it be possible to parse through the imported scripts with "File.getastext()" before integrating them to the game and filter all OS and security related functions, classes and variables? What would those classes and functions be?

It could be a lot easier than making a custom script language for modding the game

PD: Not asking for any particular project, just wondering and maybe give help to anyone searching for solutions

Godot version 3.2
in Engine by (103 points)

1 Answer

+3 votes
Best answer

Would it be possible to parse through the imported scripts with "File.getastext()" before integrating them to the game and filter all OS and security related functions, classes and variables? What would those classes and functions be?

It is certainly possible, but it's a dangerous proposition. In the security world, it's widely known that allow lists will perform better than deny lists. That is, instead of rejecting known inputs, you should only allow inputs that are known to be safe from a predetermined list.

There are two issues with this when it comes to filtering source code:

  • You will never be aware of 100% of the possibly harmful methods, especially as new ones are added in new versions of Godot. It's a cat and mouse game.
  • It's possible to call methods in several ways, including cryptic ways you may not have foreseen. This is how many XSS attacks can still be done on websites in 2020.
by (11,917 points)
selected by
Welcome to Godot Engine Q&A, where you can ask questions and receive answers from other members of the community.

Please make sure to read How to use this Q&A? before posting your first questions.
Social login is currently unavailable. If you've previously logged in with a Facebook or GitHub account, use the I forgot my password link in the login box to set a password for your account. If you still can't access your account, send an email to webmaster@godotengine.org with your username.