Enforce guarantee of indexing fundamental members

  • A script that receives an unknown instance should be able to identify the instance.
  • A script should be able to walk the game tree (or any tree of instances) uninhibited.
  • Certain instances are RobloxLocked (CoreGui), or unconditionally throw errors when indexed (NonReplicatedCSGDictionaryService), which can make it difficult to handle instances in a general way.

Identification

These members are required to identify an instance, so access to them should be absolutely guaranteed.

  • ClassName
  • IsA
  • Name

RobloxLocked

Low-permission environments must be able to read RobloxLocked to determine whether other members can be accessed. Adding the “ScriptWriteRestricted” security context may solve this.

Tree-related

Note that most instances made accessible by these members can already be acquired by other means (e.g. game.DescendantAdded acquires everything).

  • Parent (read-only)
  • FindFirstChild
  • FindFirstChildOfClass
  • GetChildren
  • IsAncestorOf
  • IsDescendantOf
  • WaitForChild
  • AncestryChanged
  • ChildAdded
  • ChildRemoved
  • DescendantAdded
  • DescendantRemoving
40 Likes

It would be very useful to be able to index RobloxLocked instances and also access CoreGui in the interests of detecting exploiters. It would literally be as easy as adding a white-list to CoreGui to ensure only ROBLOX interfaces are present.

Please don’t do that, the children of CoreGui are not guaranteed and we’d rather not have you kill your own game when we add a new feature.

It’s more about detecting extremely late CoreGui additions with non-regular names, or detecting malicious text :stuck_out_tongue:

Not really going to help you. There are plenty of cases where things are added to the CoreGui later in the game, like the player list. Now, if you whitelist the player list explicitly, I’m just going to put my exploit stuff inside that.

This is really a bad idea, trust me. I was even considering adding lazy loading for some of the settings menu pages soon.

3 Likes

i will find a way to be happy

As of the last release, Release 377, tostring can no longer be used to get the name of Instances that are restricted. As people were using this to identify Instances, this thread gains relevance.

Within a normal studio environment, there are currently four locked services that even the command bar cannot index. At times, Instances that are locked have been placed in locations that would normally be accessible. As someone who writes plugins that interacts with Selection, this has caused problems in the past.

A setting was recently added to Studio to display the entire game hierarchy in the Explorer widget. This exposes CSGDictionaryService, NonReplicatedCSGDictionaryService, CorePackages, and RobloxReplicatedStorage to be selected without using Selection. This makes the problem with selecting restricted Instances worse because it can happen during normal Studio use.

To prevent this error from happening, you currently have to identify what is selected without indexing it, or catch any errors that occur when trying to index it. The former is no easy task, and the second one can unnecessarily complicate code. A lot of plugins that use Selection simply don’t do this validating because they don’t think about it which creates messy errors in the output. This has and will likely continue to cause confusion in the future because the meaning behind these errors is currently not documented anywhere officially.

If we were guaranteed access to basic properties, methods, and events of all Instances, this problem would be solved for the most part since the most common cause of these errors is trying to index basic hierarchical or labeling information, like Parent, ClassName, or Name. Writing to these properties should still be forbidden for obvious reasons.

An added bonus to this would be that Instances would no longer be able to hide behind RobloxLocked Instances. Currently, you can parent to restricted Instances either just through directly setting something’s Parent or by exploiting. That Instance is then protected from all scrutiny by proxy, preventing you from identifying if it was added by Roblox or by a potentially malicious third party. Some developers use client-side checks to see if anything suspicious was added from the client, and this sort of accessibility would be invaluable to them. If the hierarchy was guaranteed to be traversable, it would be possible, and without compromising the actual security of RobloxLocked Instances.

18 Likes

I need to be able to access IsA to correctly process the selection returned by the Selection service in my Studio Tweaks plugin. It is unacceptable that I need to pcall every single instance selected to process them because pcall has overhead, and unnecessarily complicates my code. The methods mentioned in the OP are absolutely essential. Completely blocking all access to certain classes, including the ability to even identify them, is a lazy solution to security that hurts developers.

6 Likes