Are inappropiate strings in datastores a risk for my game?

BIackShibe · July 16, 2020, 4:12pm

I’m writing an FPS attachment system that saves its own configurations based on a JSON string, something like this but JSON-converted whenever it’s being saved:

Problem is, the client can currently save whatever they want to, which is currently just stopped by the attachment system being type-secure (A receiver has chosen mounting points, with chosen mount classes, which means an incorrect class or an out-for-range lerp will either error or be ignored)

This is fine, at least right now, however, let’s say a little funny child tells the server to save this:

The gun will still compile, as it ignores anything it doesn’t specifically SEARCH for, and no one will see it actually inside the string, however i’d like to know:

Is this gonna result in moderation?

sjr04 · July 16, 2020, 4:30pm

Do you plan on showing this string to other players? Any input from a player that will be shown is supposed to be filtered.

BIackShibe · July 16, 2020, 4:33pm

As i mentioned in the thread, the client can save anything they want to the datastore, however it is not going to be shown; these are just gun compilation instructions.

2nd thing, it is KINDA going to be shown in the demo, but only for your own properties;

If given child were to exploit, the swear-words would only be visible for him (at least at the moment), and after the game’s out of alpha, by basically no one.

sjr04 · July 16, 2020, 4:35pm

Well, it would be their fault for putting a bad word.

If it’s not going to be shown to anyone except who inputted it you probably wouldn’t need to worry. But if you want to be 100% safe, what you can do is send the string to the server for it to be filtered. If it gets filtered then tell the client to choose another name, that is appropriate

BIackShibe · July 16, 2020, 4:39pm

yeah, i can’t filter literal compilation instructions. The raw, original settings have no keyboard input-based things aside from what is mounted on the gun, meaning a real player that didn’t decide to dump 20$ on an exploit wouldn’t be able to save any swear-words there.

aside, Thanks for the answer!

PeZsmistic · July 16, 2020, 5:16pm

If you know what valid instructions are, can’t you just prevent them from being added at all in the first place? Do clients directly input JSON?

If you’re printing this string to the local console unfiltered you may be at risk.

BIackShibe · July 16, 2020, 5:19pm

I wrote a validator, it’s just a hassle to keep the correct instructions updated (and it didn’t work very well because it was written at 3am). I wanted to know whether i could get rid of it.

PeZsmistic · July 16, 2020, 5:23pm

You should define your valid instructions in a module script table that maps symbol to instruction string. Then just reference the symbols out of the table in your validator code. Then you’re always forced to define the symbol before you use it, and the list stays up to date.

E.g.
local map = {InstructionSymbol = “InstructionName”}
print(map.InstructionSymbol)

You should avoid printing unfiltered user input pulled from datastore to the local console. This is functionally the same as putting it right into a GUI.