How to disable string methods in loadstring?

Bam_Sori · May 26, 2024, 12:39am

I want to enhance the user experience by allowing them to manipulate object behaviors through code, similar to Blender’s driver and After Effects’ expressions.

I’m considering methods to prevent both the server and client from freezing.

I can use setfenv to assign global variables to an empty table. This blocks users from accessing secure instances such as workspace , game , ReplicatedStorage , and so on.
Additionally, it allows access only to what general players can access.

It is also easy to detect loop-related keywords, and the code length can be limited before using loadstring .

BUT

string remains an object, not a global variable,
in Lua, even when using setfenv with an empty table,
Users can exploit the string.rep method to overload memory instantly :(

For example:

local SAFE_GLOBAL_ENVIRONMENT = {
	print = print
}

setfenv(function() 

	print( `String library is nil: {string == nil}` )

	print(("I WILL EXPLODE THE SERVER"):rep(10000000))

end, SAFE_GLOBAL_ENVIRONMENT )()

-- In Lua, the string is an object, so its methods are still accessible, 
-- even though the string library isn't

So, I need to block methods of the string.
How can I block string methods?

batteryday · May 26, 2024, 1:05am

print(("I WILL EXPLODE THE SERVER"):rep(9999999999999))

I’m not an expert on this kind of stuff but running this in studio just returns and empty string and doesn’t crash.

RobloxHasTalentR · May 26, 2024, 1:54am

To disable string methods in Loadstring in Roblox, you can use a technique called “string obfuscation”. This involves converting the string into a different format that cannot be easily recognized and executed by the loadstring function. Here’s an example of how you can obfuscate a string:

local originalString = "YOUR_ORIGINAL_STRING"

local obfuscatedString = ""
for i = 1, #originalString do
    obfuscatedString = obfuscatedString .. "\\" .. string.byte(originalString, i)
end

loadstring(obfuscatedString)()

Bam_Sori · May 26, 2024, 2:52am

print( #("a"):rep(2^30) )

Although a string of 2^30 characters does not cause a crash, it can cause a lag spike with just inline code.

Bam_Sori · May 26, 2024, 2:57am

thank you but I’m sorry, I didn’t ask how to make loadstrings difficult to decompile
the approach you suggested cannot block string methods

I want players in the game to be able to manipulate certain objects by coding in Lua,
similar to Blender’s driver and scripting, and After Effects’ expressions

^ Blender Driver

However, some malicious users might exploit this system to cause lag spikes.

I can handle most cases, such as loops and indexing secure instances, but blocking string methods is difficult

batteryday · May 26, 2024, 2:14pm

print(("a"):rep(2^30) )

Okay running this did causing a significant lag spike.

My only idea would be to literally block the letters “rep” for this specific case. (I don’t think there is a way of calling the function without writing out “rep”)

(unrelated)

Pro tip: don’t directly copy and paste ChatGPT responses into your reply on the DevForum. @RobloxHasTalentR

(I’ve used ChatGPT enough to know how they talk and this is definitely a ChatGPT response, especially because it’s unrelated to OP’s question)