loadstring isn’t even that malicious, it’s just dynamic script execution, and if I did insert a script with it into your game, you would have to enable LoadStringEnabled for it to actually work, the real way people infect games is through require.
can i check please, can you give the pastebin link?
I’m very sorry for the inconvenience. I just had to check it but there is nothing malicious.
1 Like
i have been in the verification game already two times but in the plugin it says i’m not verified.
press continue after verifying
That’s still, not great. I wouldn’t mind it if it was just for the assets because there’s an explicit user opt in to having things in their game being modified, but there’s no excuse for loading a simple table when the plugin starts.
You, or someone who is able to overwrite that Pastebin would be able to insert code that would run silently every time the plugin is ran.
Yes. loadstring has it’s valid usecases but this is not one of them as any input loadstring has the same access as the script executing the loadstring. Usually you’d use a JSON decode as JSON doesn’t have any script execution capabilities, it’s purely a data storage format.
That would be true if the script was running as a game script. But it’s not, you’re running as a plugin which always has ‘loadstring’ privileges, and you clearly know that that’s not true given that your plugin wouldn’t work at all without loadstring.
i was talking about inserting scripts into the game that are malicious, there is nothing malicious about running loadstring code on the plugin, where I could already be running malicious code before inside the original plugin code. (sorry for the confusing explanation)
1 Like
Yes, but you’d have to go through the Plugin Marketplace, where Roblox would have history of every version of the plugin you would push. With a loadstring you’re effectively bypassing Roblox moderation, and could silently push new, malicious code without any user needing to update their plugin.
Plus, you’ve never addressed why you’re obfuscating the call with string.reverse
1 Like
roblox automatically takes down your asset when you just put loadstring(),
as for “silently” making a malicious update,
the way our plugin is coded does not allow for that, the way the code uses loadstring.
So that’s why you’re obfuscating the code, to bypass the Roblox security checks?
roblox says inside their moderation, you cannot use loadstring for malicious intent, but roblox still takes down all assets with loadstring and we aren’t using this for malicious intent.
Me reading this thread wondering why you’re not getting it. The fact you’re trying to obfuscate around Roblox’s own security checks is enough to not use this plugin, thats REALLY sketchy, and I think you know this.
There is little to no legitimate reasoning to use loadstring. As tay rightly mentioned, if someone edits your pastebin, which can happen, anyone (including you) can inject malicious code into your plugin, effectively bypassing any Roblox moderation.
Why cant you just create JSON and return that, then handle it with JSONDecode?
6 Likes
we still need loadstring for the asset loading.
i wouldn’t put so much effort into something like this just to turn it into something malicious, I had to pay a lot for the user interface made too
have you managed to get it to work?
Does the user have to pay a fee to host it on the plugin and how do you make it so that a. the assets that are bought are delivered, and b that the person selling gets thier fair share and people dont just use the open source nature of the plugin to get it for free by someway
hey, please read the post more carefully next time as I have already explained the answer to your question(s).
they get 30% of the credits when someone buys the item,
the items are very securely protected and serialized into text/luau code which is then later loaded when a request sent to the api matches all requirements, making the purchase very secure.
Im getting this error:
19:40:18.922 Requested module experienced an error while loading - Edit - InventoryHandler:2
19:40:18.922 Stack Begin - Studio
19:40:18.922 Script ‘cloud_116409962813167.FrostShopPlugin.InventoryHandler’, Line 2 - Studio
19:40:18.922 Stack End - Studio
try restarting studio, i think it’s just being slow