I need help I am making an game where you can execute scripts but I would like to prevent the scripts ran kicking players or adding keys to a datastore hence the name sandbox I know you can do this with metatables but I would not know how.
2 Likes
How do you mean “Execute scripts”?
This is done with loadstring not the function the module
You can try making a Text GUI, where player will need put the ID of asset and if argument is null, then it leaves it empty
It will look like
require(those_numbers)(argument)
But of course easier way is to just make loadstring (using this GUI), but it’s very dangerous.
I have a game where u can execute script, to prevent kick i made the game solo in normal servers and in private servers multiplayer, then u can play with your friends withou getting kicked
what you could do is make a textbox which would put that text in the script that would always run.
They mean a game where you input text in a textbox and it runs whatever code you put in there on the server. They are pretty easy to make, all you have to do is enable loadstring.
Not if you know what you’re doing.
loadstring returns a function. setfenv can set the environment of a specific function.
Example in which only the math library is accessible. Trying to reference any existing instances is impossible since there’s no global variable to start at. Doing anything like ‘game.Workspace’ will error because there is no ‘game’ in the environment.
local expression = "math.exp(1)"
local f = loadstring("return "..expression)
setfenv(f, {math = math})
local result = f()
print(result) -- e
Example that doesn’t use setfenv, and is therefore vulnerable to malicious code injection:
local expression = "(function() print('haha hacked') game.Players:ClearAllChildren() return 1 end)()"
local f = loadstring("return "..expression)
local result = f()
print(result)
Some script builder games exclude globals like script, game and workspace from the environment so that people can’t delete stuff, kick players, etc.
2 Likes
that is what im trying to do but I have no idea how I would do that
When you call setfenv you would just make sure there are no references to any instances that are descendants of the game.
This script here has the original environment but uses a metatable method to filter out restricted globals:
local source = [[
print("this is sample code")
game:GetService("Players"):ClearAllChildren()
]]
local compiledFunction = loadstring(source)
local env = getfenv(compiledFunction)
-- edit how you want
local notAllowed = {"script", "game", "workspace", "getfenv", "setfenv", "_G", "require"}
local sandbox = setmetatable({}, {
__index = function(_, var)
if (table.find(notAllowed, var) ~= nil) then
error("'"..var.."' is restricted.")
else
return env[var]
end
end
})
setfenv(compiledFunction, sandbox)
compiledFunction()
2 Likes
You could check the source of the script
local bannedScriptWords = {":Kick()", ":SetAsync"} -- Add more if you want.
local source = scriptBeingExecuted.Source
for _, keyword in ipairs(randomTable) do
if (source:find(keyword, 1, true)) then
--What you want to do if the script has one of the words from the table
end
end
Using string | Documentation - Roblox Creator Hub .find (3rd one down)
Kind of simpler than what @blokav said.
1 Like
basically a serverside executor?
Indeed. Pretty simple to make as long as you have knowledge of remote events and loadstring.
1 Like