Can _G functions that were defined on the server be called from the client?

Basically the whole game relies on that one function to start, so it wouldn’t be cute if an exploiter could run the function. So I pose this question:

Can _G functions that were defined on the server be called from the client?

1 Like

Correct me if I am wrong, but functions defined on the server cant be called because the client cant access the server.

It’s true that _G is a global function, but if you can’t access the function then you shouldn’t be able to call it.

2 Likes

Thank you! If anyone sees this that thinks otherwise please chime in ASAP because it has the potential to be a huge vulnerability.

_G functions on the server can only be called by the server and vice versa, so there is no need to worry about exploiters calling your server function.

1 Like

The client/server both have a seperate instance of _G and shared. This would be a pretty large security issue otherwise.

The same concept applies to RemoteEvents. They automatically remove metatables and functions from the arguments passed through them. This also helps with security. See this example:

-- server
local usedEffects = {}
local cooldown = 4

AddEffect.OnServerEvent:Connect(function(player, location)
    if not usedEffects[player] then
        usedEffects[player] = os.time() - cooldown
    end

    if os.time() - usedEffects[player] >= cooldown then
        local attachment = Instance.new("Attachment")
        attachment.WorldPosition = Vector3.new(location.X, 0, location.Y)
        attachment.Parent = workspace.Terrain

        usedEffects[player] = os.time()
    end
end)

At first, this seems harmless. However, this is very easy for the client to tamper with.

-- client
local Players = game:GetService("Players")

AddEffect:FireServer(setmetatable({}, {
    __index = function()
        for _, player in ipairs(Players:GetPlayers()) do
            if player ~= Players.LocalPlayer then
                player:Kick()
            end
        end
    end
}))

In this way, the client would’ve been able to force the server into kicking every single player except themselves, and the server wouldn’t even realize. Thankfully, Roblox automatically removes metatables and functions, which means that we are safe from exploits like those.

3 Likes