Models Uploaded with a Script that Contains a Require() pointed to an AssetID Autobans Account

[THIS BUG REPORT HAS BEEN WITHDRAWN]

Bug Report Details: Any Model with a script that uses a require(), even if not enabled such as just put in as a comment, will result in an automated ban of the account that submitted the model.

Where: Roblox Website

When: Always

Environment: Windows 10, 16GB of RAM or Windows 7 Pro, 16GB of RAM

How to Reproduce: Create a part, create a script under that part, in the script just put this anywhere that points to some asset ID that exist somewhere. Save the script, upload the Model to Roblox, set it for Public, wait a few seconds or minutes for your account to be banned for day(s).

Code to Reproduce:
Create a ModuleScript Named “MainModule” with this code, upload it as a Model. Make Note of the Asset ID number.

local module = {}
function module.Test()
	print("Test Called")
end
return module

Create another script on a part, put this code into it:

local TestModule = require(1234567890) -- Asset ID
TestModule.Test()

Change the asset ID to the number from your earlier published Model. Upload the part as a Model and Publish in the Marketplace. Ban is usually instant or takes a few minutes.

This also works if the code is simply commented out to be non-functional.

--local TestModule = require(1234567890) -- Asset ID
--TestModule.Test()

Ban Message:
Moderator Note: Roblox does not permit bypasses of our systems that keep our platform and community safe and secure.

Screen-shot:

Additional Information:
Bug Also Seems Related to This:

8 Likes

Thanks, we’re looking into this

2 Likes

Is this fixed? I’m scared to add any code even remotely related to this. especially if it leads to a ban not just a warning.

Thanks for reporting. Our safety system had temporary miscalculations that have been fixed. Note that we do issue punishments for assets that are serious violations of Roblox ToS (also see Creator Marketplace: Improving Model Safety). The code you linked is in violation of our policies. We’re working on undoing any false bans to users.

@Tanks_altNum1 if you find that you were not violating any of the patterns mentioned in the post linked above such as requiring external assets, getfenv, obfuscated code, or loadstring but still get banned, please file an appeal and/or let me know

1 Like

I would suggest putting a warning in the documentation for Require() Roblox Globals | Documentation - Roblox Creator Hub

Also note that if the ModuleScript the user wants to run has been uploaded to Roblox (with the instance’s name being MainModule), it can be loaded by using the require() function on the asset ID of the ModuleScript, though only on the server.

I understand the logic behind this, but linking to a bad public resource ID means that said bad resource ID has already bypassed your filters since it’s already public? :thinking:

Just so I understand, No One should be using require to link to a public Asset ID for any reason?

1 Like

That’s what I’m confused about, also don’t major toolbox scripts use this feature, like HDadmin requires their loading module:

@Tanks_altNum1

What I think is going on is that a model is being uploaded where the script requires a public resource. Apparently that is a no-no. The thing about HD Admin though, is interesting.

They’re whitelisted assets. I don’t know when this will change.

If I had found that earlier, I probably would have not created the bug report, thanks for the link. :grinning:

To quote the announcement:

Requiring remote assets, specifically require(assetId) While this API can be useful for auto-updating assets within your experiences, the majority of use cases in public models are malicious. A model that may look useful on the surface, for example, could load another “virus” asset at runtime. This change will make it easier for developers to understand what functionality each model contains.

1 Like

I understand now after reading this link: Creator Marketplace: Improving Model Safety

I will withdraw this bug report as from what I can see, it’s working as designed. I didn’t know about this type of security filtering for the use of require(), so hopefully anyone else that finds this topic in the future will understand how to avoid getting account bans. :sweat_smile:

That is correct for assets that you distribute on marketplace; but if you create an asset and don’t toggle that “Distribute on Marketplace” toggle (meaning that only you can access it and it is not publicly available on Creator Marketplace), then you’re free to require whatever assets you want that are not against Roblox’s ToS.

Yeah, we plan to include more info about how these patters are not allowed in future documentation

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.