Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PCK could leak source code #10087

Open
pochoco24 opened this issue Oct 15, 2024 · 3 comments
Open

PCK could leak source code #10087

pochoco24 opened this issue Oct 15, 2024 · 3 comments
Labels
area:manual Issues and PRs related to the Manual/Tutorials section of the documentation enhancement topic:export

Comments

@pochoco24
Copy link

Your Godot version:
v4.3.stable

Issue description:
This documentation page says that when using PCK resource packs for mods or texture packs, it won't disclose the source code, but if a user puts a script in the PCK, it can get access and read all of the scripts. This can be dangerous for public releases of games or apps.

It would be a good idea to allow the dev choose what gets imported with ProjectSettings.load_resource_pack() (like textures or sounds) and avoid loading custom scripts.

URL to the documentation page:
https://docs.godotengine.org/en/stable/tutorials/export/exporting_pcks.html#

If you know how to fix the issue you are reporting please
consider opening a pull request. We provide a tutorial on
using git here: https://docs.godotengine.org/en/stable/community/contributing/pr_workflow.html,
writing documentation at https://docs.godotengine.org/en/stable/community/contributing/docs_writing_guidelines.html
and contributing to the class reference here: https://docs.godotengine.org/en/stable/community/contributing/updating_the_class_reference.html
@pochoco24 pochoco24 added the bug label Oct 15, 2024
@AThousandShips
Copy link
Member

It doesn't say that though, it says it isn't needed not that it won't happen, it could be a bit clearer but it doesn't say:

it won't disclose the source code

@AThousandShips AThousandShips added enhancement area:manual Issues and PRs related to the Manual/Tutorials section of the documentation topic:export and removed bug labels Oct 15, 2024
@fire
Copy link
Member

fire commented Oct 15, 2024

No source code disclosure needed for mods

As far as I know, the current status of the gdscript byte code encoder is that it runs very few optimizations, and Godot Engine's gdscript bytecode can be decoded by https://github.com/bruvzg/gdsdecomp in easy-to-do ways.

Source code disclosure means that gdscript byte code encoding can be obscured, which isn't possible unless you use a cryptographically signed box, similar to a box with multiple locked containers where the game developer releases the key on a schedule or a steam release on a particular day where the release decryption key is released, and the data is accessible.

Source code disclosure is unrelated to the sandbox concept of executing mod code that will be blocked from running "notepad.exe" on your computer. See godotengine/godot-proposals#5010 and my godot-sandbox project.

You argue that arbitrary remote code execution that causes Godot Engine to dump its source code is source code disclosure, but that isn't strictly promised here in the documentation.

@fire
Copy link
Member

fire commented Oct 15, 2024
edited
Loading

We have developed a Godot Engine resource name based allow list technology for our V-Sekai social VR project, and I have posted the branch here: https://github.com/V-Sekai/godot/tree/resource_loader_whitelist_4.4

@lyuma worked on it if you want details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:manual Issues and PRs related to the Manual/Tutorials section of the documentation enhancement topic:export
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fire @AThousandShips @pochoco24