Is this a posible solution for modding support security issues?

Question

I was reading up on modding support for godot, and got to the conclusion that it is certainly possible, only problem is if you allow GDscripts to be executed from mods it allows anyone to make malicious code (deleting files from the system, executing arbitrary code, etc)

Would it be possible to parse through the imported scripts with "File.getastext()" before integrating them to the game and filter all OS and security related functions, classes and variables? What would those classes and functions be?

It could be a lot easier than making a custom script language for modding the game

PD: Not asking for any particular project, just wondering and maybe give help to anyone searching for solutions

Answer 1

Would it be possible to parse through the imported scripts with "File.getastext()" before integrating them to the game and filter all OS and security related functions, classes and variables? What would those classes and functions be?

It is certainly possible, but it's a dangerous proposition. In the security world, it's widely known that allow lists will perform better than deny lists. That is, instead of rejecting known inputs, you should only allow inputs that are known to be safe from a predetermined list.

There are two issues with this when it comes to filtering source code:

• You will never be aware of 100% of the possibly harmful methods, especially as new ones are added in new versions of Godot. It's a cat and mouse game.
• It's possible to call methods in several ways, including cryptic ways you may not have foreseen. This is how many XSS attacks can still be done on websites in 2020.