Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add external path and type whitelist to ResourceLoader #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add external path and type whitelist to ResourceLoader #42

wants to merge 1 commit into from

Conversation

fire
Copy link
Member

@fire fire commented Jan 21, 2025

For review.

@fire
Copy link
Member Author

fire commented Jan 21, 2025
edited
Loading 

if (using_whitelist && !external_path_whitelist.has(path)) {
   WARN_PRINT(vformat("Blocked internal resource path not in whitelist: %s.", path));

Lyuma is skeptical about the validation of internal sub-resource references. Do you know when this code was added?

-               external_resources.write[i].load_token = ResourceLoader::_load_start(path, external_resources[i].type, use_sub_threads ? ResourceLoader::LOAD_THREAD_DISTRIBUTE : ResourceLoader::LOAD_THREAD_FROM_CURRENT, ResourceFormatLoader::CACHE_MODE_REUSE, false, false, Dictionary(), Dictionary());
+               external_resources.write[i].load_token = ResourceLoader::_load_start(path, external_resources[i].type, use_sub_threads ? ResourceLoader::LOAD_THREAD_DISTRIBUTE : ResourceLoader::LOAD_THREAD_FROM_CURRENT, cache_mode_for_external, true, using_whitelist, external_path_whitelist, type_whitelist);

If Lyuma recalls, this was the change that broke it. Basically, the original idea was that external resources (which are whitelisted) would themselves be exempted from using whitelisted loading, under the assumption that these external resources are trusted but by passing the using_whitelist into the external resource load, it can cause an otherwise simple script to fail loading due to depending on something not in the whitelist.

From looking at the diff, the text resources were previously not using the whitelist?

lyuma
lyuma reviewed Jan 21, 2025
View reviewed changes
Copy link
Member

@lyuma lyuma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comments left in discord

core/io/resource_format_binary.cpp Outdated Show resolved Hide resolved
core/io/resource_format_binary.cpp Outdated Show resolved Hide resolved
core/io/resource_format_binary.cpp Outdated Show resolved Hide resolved
@fire fire mentioned this pull request Jan 21, 2025
Open
@fire fire force-pushed the resource-loader-whitelist-with-tests-4.4 branch 2 times, most recently from a7ac54a to 8367132 Compare January 22, 2025 18:54
@fire
Copy link
Member Author

fire commented Jan 22, 2025
edited
Loading

Test failure.

./tests/scene/test_resource_loader.h:151:
TEST CASE:  [SceneTree][ResourceLoader] Load Binary Resource Whitelisted - No allowed paths in the whitelist

./tests/scene/test_resource_loader.h:159: ERROR: CHECK_FALSE( resource.is_valid() ) is NOT correct!
  values: CHECK_FALSE( true )
TEST_CASE("[SceneTree][ResourceLoader] Load Binary Resource Whitelisted - No allowed paths in the whitelist") {
	init("load_resource_whitelisted_malicious_path", "res://");
	Dictionary ext_whitelist;
	Dictionary type_whitelist;
	type_whitelist["GradientTexture2D"] = true;
	type_whitelist["Gradient"] = true;
	Ref<Texture2D> resource = ResourceLoader::load_whitelisted(
			"res://trojan_resource.res", ext_whitelist, type_whitelist, "Texture2D");
	CHECK_FALSE(resource.is_valid());
}

@fire fire force-pushed the resource-loader-whitelist-with-tests-4.4 branch 6 times, most recently from 049ff68 to f97eace Compare January 28, 2025 21:31
@fire fire force-pushed the resource-loader-whitelist-with-tests-4.4 branch from f97eace to c37a447 Compare January 30, 2025 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lyuma lyuma lyuma left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fire @lyuma