Can I run code using HttpService:GetAsync()

Say I have a pastebin: https://pastebin.com/my-pastebin-here
Now say the pastebin had this code in it: print("Hello")
Now here is the request: game:GetService("HttpService"):GetAsync("https://pastebin.com/my-pastebin-here)
How would I make it run the code: print("Hello")
all help will be accepted ; )

1 Like

You have to use loadstring() to run code from a string (which is what the code from pastebin is, right?). First, you have to enable LoadString under SeverScriptService.

But this is dangerous alone!

Use @Hexcede’s resource (Script Sandbox) with LoadString enabled to secure your game with his enabled.

5 Likes

It’s only dangerous if you use it to run code which contains user-generated information. For example, if you let a user type in a string and put it between quotes in the actual loadstringed code. Running loadstring on code from a source you know you can trust isn’t any more risky than requiring a module by ID.

4 Likes

Thank you for the responses, @TheCarbyneUniverse, I am not going to be using this for any loadstrings except mine, I know that exploits can use loadstrings, will enabling this make it so that they can run server side loadstrings?

1 Like

Thats what I was thinking, but I couldn’t really find anything much on loadstring and why it was so dangerous to enable so I left it alone.

1 Like

No, exploiters can never access the server. You only have to be mindful on the local side, really.

1 Like

I wanted this because I was selling something I call ORE (One Remote Event), and I wanted to make an auto update system. I also want to know how will I keep the player from ever accessing the code (So they can’t steal it)

No, you should be safe. The concern with loadstring is that something that seems harmless (for example, letting a player input a string) can easily be abused. For example:

local playerData = -- some user input idk
loadstring([[print("]] .. playerData .. [[")]]) -- prints what they say :) 

-- some exploiter types this:
yay!"); script:Destroy("
-- causing the script to run this:
print("yay!"); script:Destroy("")

In addition, allowing a moderator to run server-sided code, which might be a main use case for the function, has a number of security implications. They could view, edit, or delete any user data with ease.

Regardless, storing your script on the web isn’t likely to make it any safer. If they’re loadstringing it, they have access to the raw code at some point, and they could just print it. If anything, it makes it more risky, since someone can view the code without access to the game.

2 Likes

How would I do this?

I have no idea how to.

This isn’t really a solvable problem. To run the code, they have to be able to access it somehow. Services like Devable claim to have “Script Protection,” but I have no idea what they could be doing that would actually work.

2 Likes

Is there any way I can get a “Original” mark from roblox staff so anyone that makes another version is marked as a fake or something around those lines”

Nope. That’s not a thing, unfortunately.

2 Likes

So there is no way to make my assets not get stolen and then published for free

Yeah, there’s no way you can do that. You could report copies, though, I guess.

2 Likes

So what I want the person to do to install ore is: loadstring(game.HttpService:GetAsync("https://pastebin.com/raw/7eFdfFQm"))
Here is the code inside of the paste:

local ORE = Instance.new("Folder")
local Assets = Instance.new("Folder")
local StartUp = Instance.new("Script")
local Handler = Instance.new("ModuleScript")
local started = Instance.new("BoolValue")

--Parenting
ORE.Parent = workspace
Assets.Parent = ORE
StartUp.Parent = ORE
Handler.Parent = StartUp
started.Parent = Handler

--Naming
ORE.Name = "ORE"
Assets.Name = "Assets"
StartUp.Name = "StartUp"
Handler.Name = "Handler"
started.Name = "started" started.Value = false
--Code
StartUp.Source = [[-- to make it look fancy (bc it is)
local handler = require(script.Handler)
wait(0.1)
for i = 1, 100 do
	print("Loading ORE V: " .. handler.Version .. " ".. i .. "%")
	wait()
end

print("Prerequisites Loaded")
wait(2)
for Section = 1, 3 do
local randomNum = math.random(10, 30)
for i = 1, randomNum do
	print("Loading ORE V: " .. handler.Version .. " Main Section " .. Section .. "/8" .. " " .. i .. "/" .. randomNum)
	wait(0.04)
end
print("Finished Section " .. Section)
wait(1)
end
wait(1)
script.Handler.started.Value = true

But it doesn’t do anything ; 0
No errors at all.

loadstring returns a function. You need to call that function.

1 Like

So I should do

local Function = loadstring(game.HttpService:GetAsync("https://pastebin.com/raw/7eFdfFQm")) Function()
1 Like

Actually I just did: loadstring(game.HttpService:GetAsync("https://pastebin.com/raw/7eFdfFQm"))()

1 Like

The provided pastebin link seems to be setting protected properties, are you running this in the context of a plugin? If so I wouldn’t recommend using loadstring with http inside a plugin as it may cause end users to not trust your plugin as they will be prompted if they want to allow the request.

You also should always use game:GetService instead of directly indexing the game instance!

1 Like

I am running it inside of the Command Bar.