H3x is a script sandbox which aims to be minimally intrusive (as little modification of functionality as possible), easily editable, secure, and reliable. Note: It requires loadstring to be enabled. You can do so with the ServerScriptService property.
NOTE: This project is a work in progress and has not yet been thoroughly tested. If you use it in a game, keep in mind you are still running user code and that user code can still be malicious!
If you find a security issue, or something you think is a risk, please notify me via PMs ASAP so I can release a fix to the issue(s)!
Joining the update mention list (Revised 11/2/19)
If you would like to be mentioned by me when an update is published and get extra information such as planned features please PM me the search phrase
H3x mention list in your message and be sure to include any specifics. For example, I can include any information you’d like to know about when I roll out an update and also include/exclude you for unimportant updates.
Features of the H3x Script Sandbox
- Completely indistinguishable from a root Roblox script environment besides modifications you make to the environment (or if using the default environment all Roblox instances will be missing).
- A default sandbox environment which automatically protects all global functions and values as well as removes all instances returned from functions or tables.
getfenvon protected functions will return the sandbox’s root environment.
setfenvwill invoke the error
'setfenv' cannot change environment of given object.
- Additionally getfenv(2) from inside of a protected function will invoke the error
bad argument #1 (invalid level)exactly like a root environment.
- No globals, Roblox functions, etc are rewritten or changed at all. Everything is left in tact with zero modifications including
setmetatable, etc with the sole exception of require (due to security issues).
- A clean API offering access to controlling scripts.
- Script environment and require libraries APIs .
- All code contained within only two modules, one of which is only used internally to create new default environments.
- Nothing hacky is used. No uploading script models, no HttpService, no text parsing, only loadstring access is required.
- Custom require via the
Context:RemoveLibrary(libraryName), and in scripts,
library = require(libraryName)APIs.
- Hooking APIs which allow you to log every external call the script makes as well as external table usage. (Accessible via Sandbox:MakeEnvironment(Context ctx)'s second argument)
Uses of script sandboxing
- Running user-supplied code with limited or reduced access
- Analyzing obfuscated code
- Changing or extending the functionality of a script without changing its source code
- Map making SDKs