Hacker News new | ask | show | jobs
by aezart 1113 days ago
I foresee this being a big problem for the Godot game engine as it gains popularity. There's absolutely no sandboxing or "safe mode" or anything when loading extra resource packs, and any resource or scene file can have an embedded script which executes upon loading.
2 comments
sporedro 1113 days ago
Do you mean this would be an issue with regards to using their asset store/3rd party plugins for your game?

If so how is it really any different from just regular nodejs packages or Python packages?that’s a risk developers seem to ignore.

Or are your talking about scripts being added for modding purposes like Minecraft? If so that’s a pretty good point, would be nice to have godot implement some sort of sandboxed system you can use. Not sure what the term would be or how that would even work.

link
erik 1113 days ago
This isn't Godot specific at all is it? A very large amount of game modding involves running unrestricted code.
link
aezart 1113 days ago
That's quite possible, I'm not super into the modding scene. I guess my default assumption is that mods should be running through some sort of scripting interface that doesn't have access to things like the filesystem.
link
ninth_ant 1113 days ago
When developers add an official modding interface, then it usually works the way you've suggested. They get access to much of the internal API and a sandboxed environment.

Many mods though, work by just subverting the game by replacing components with custom-made ones. This allows substantially more customization.

In Minecraft, both types exist. The first type are called "data packs" or "resource packs" and would not be subject to this attack. The latter type involves swapping in new .jar files and running them directly, which is unsupported by the developer and gives basically unrestricted access.

link
circuit10 1113 days ago
This might be a bit nitpicky but resource packs just replace assets without scripting capabilities, and datapacks do let you run commands which are Turing-complete but they aren’t really a great programming language because you can’t do things like loops in a normal way
link
charcircuit 1113 days ago
Graphical mods are still mods. You don't need scripting for a mod to be a mod. It just has to modify the base game.
link
circuit10 1112 days ago
I’m not saying it doesn’t count, just pointing out some differences
link