This is why they don’t do that.
1 Like
Lua 5.1 has a well known RCE with its bytecode that Luau is also vulnerable to. Do we consider Luau unsafe for this reason? No, because Luau will never compile to bytecode thats malicious.
Additionally, Luau prevents the loading of arbitrary unsigned bytecode.
The same logic applies with graph-based shaders, you dont get to write the underlying HLSL or GLSL files, and Roblox can then prevent the graph editor from creating malicious shaders.
3 Likes
This. This is exactly what I said before. Because you aren’t going to allow sending arbitrary HLSL/GLSL code, this is just a massive security risk. Instead Roblox could create their own shader graph format that stores instructions, which are just sent to their publishing servers which handle the compilation of these shaders to optimize for runtime, which could then be embedded into the published place file. This would also allow the server to reject invalid or malicious data?
1 Like