Introducing Plugin HTTP Permissions

Updates Announcements
#44

Regarding require, @RoxyBloxyy addressed that at the end:

This is just the tip of the iceberg for content security. Our team is working hard on the next set of permissions to help mitigate some of the major weaknesses reported by all of you including preventing unauthorized game teleports and script injections.

require(assetId) is one form of script injection, and it is super useful when not used maliciously. There are a number of other forms of script injection, too.

7 Likes
#45

Can we hope to see something that addresses which modules have been required? Alternatively something that can watch the script environment call by call, index by index?

I’ve already done it myself but it uses some extremely hacky metatable tricks and I also need a guaranteed reference to a script to do it because I need to be able to reference a given scripts environment. (Usually I inject my own code into the module / plugin I am looking at and call my own module)

local callingEnvironment = getfenv(2)

local callingEnvironmentMetatable = {}

function callingEnvironmentMetatable:__index(key)
    local original = callingEnvironment[key]

    print(key, original)

    return original
end

setfenv(2, setmetatable({}, callingEnvironmentMetatable))

warn(a)

image

3 Likes
#46

Not at all, my point was that people generally install plugins made by respected/trusted users. How often would you say you install a random plugin that is botted to the top of the library? I would also think that people that have games worth thousands or millions of dollars would be smart enough to avoid those plugins as well. Stealing a game is pointless because roblox will take down any re-uploads of stolen places/assets. Yes, it was a problem before this update but it is a lot less serious than you’re making it seem.

3 Likes
#47

My recollection is that HttpEnabled isn’t available to user-level Studio plugins and trying to access it produces an error. Even if it is available / returns a value, the HttpService requests are your final source of truth on if the requests can go through.

1 Like
#48

A few questions.

HttpService.HttpEnabled is no longer used for Studio plugins with this change.

  1. This answer leaves me with a question still. The actual value returned to a plugin makes a difference, for example if a plugin does a manual check that HttpService.Enabled was true and prompted the user if it was false. Would that plugin break now (if the value returned is always false) until the developer updates it?

  2. After denying or allowing a request, can I change that permission later without reinstalling the plugin?

  3. Is there a way for a developer to add a message to explain why they’re making a request? I can imagine a prompt coming out of nowhere may be confusing to a developer as to why it’s making a request. A little info bubble where developer can associate a reason with the request would be handy if it isn’t there already.

4 Likes
#49

Since the prompt is only shown when a request is made, you can show them the message before making the request to ensure they understand the reason.

2 Likes
#50

This makes it much more safer with using plugins I am not familiar with or just now looking at.

2 Likes
#51

Thank you so much.

Hopefully this will make it harder for fake plugins to compromise games (especially considering the high-profile attack that happened a couple weeks ago) and close the IP-logging loophole.

2 Likes
#52

I actually have a thread about this if you want to check it out. Tools to crack down on backdoors - View required asset IDs

2 Likes
#53

What I’m asking is a way to view any and all IDs that are being used for require ,

You could do it yourself. Try wrapping require and then outputting the passed values, then returning the call of the original require. However before you do that try to overwrite the environment of functions of the module you’re calling with your fake require. Doing this recursively will show all chained require calls.

3 Likes
#54

Well, that’s not the point of my post. This is to streamline the process of getting these requires and making it more accessible to regular members.

3 Likes
#55

Once you do it, you never have to write the code again, just reuse the code. So it can become “streamlined”

I guess it would be nice for some functionality to do this however.

3 Likes
#56

Again that isn’t the point of the post. This is so regular members don’t have to be forced/figure out how to add environment manipulation into malicious scripts. You know how heavy a obfuscated script can be on your script editor to add that environment manipulation. The goal of the post is to allow a much much easier way to helping the community out by being able to get access to the sources of malicious scripts just by press F9 or something similar. They are probably going to spend little to no time on a malicious script if it’s obfuscated when it’s their first time. This post isn’t about the developers it’s for the community as a whole that could really impact on malicious assets.

3 Likes
#57

How would this feature be any different than using studio’s script search feature to find all matches of require?

3 Likes
#58

Alot of malicious scripts have their code obfuscated so it’s not as simple as just searching require.

3 Likes
#59

Yes it is. The obfuscation is flawed because they actually have to use the environment they’re being ran in so if they dont use a reference to require or some equivalent then they cant do anything.

Are you referencing the hacky getfenv()[...] trick though?

3 Likes
#60

Obfuscation can be the hacky getfenv() or full on obfuscation like Synapse Xen, IronBrew, Luraph, and a few others. But again and I’m gonna keep repeating this, this is for the whole community people that have little experience with environment manipulation when they want to crack down on malicious assets.

3 Likes
#61

I do understand where you are coming from and it is a good idea, I am just being a little arrogant.

Maybe someone should release a tool that makes this process available for people with little experience manipulating the environment! That would be pretty cool. But I don’t think a tool will be useful to those who don’t understand how any of it works, it helps you much more to know how a tool works when you’re using it so people using a tool that can do environment manipulation for them might get confused.

3 Likes
#62

Well, I get what you mean but this lowers it to a level of just viewing a list of IDs when they understand those are asset IDs. If they just want to at-least try helping the community by reporting malicious assets especially the source where it leads then it would make it the easiest thing to do.

This tool has no automatic implementation of environment manipulation because I’m hoping they would add logging the ID from the interpreter itself where it can’t check for any of that. I’ve seen backdoors with insane environment protection and never gotten past.

3 Likes
#63

(Was planning on DMing but I think this would be valuable for others)
(We are getting a bit off topic though, perhaps we should move to DMS?)

I have never ran into this issue, perhaps I never ran into such an example though.

The only ways I can think of bypassing an environment change is to some how get another scripts environment without leaking your own environment into theirs and then to use that environment, to check if the wrapped functions are actually C functions (coroutine.wrap errors on C functions), or your tables are readonly (you cant write to game or math for example). But all of these checks are bypassable using __newindex or by just overwriting coroutine.wrap

If you do have an example would like to see it!!

2 Likes