New Require Introspection Feature

This isn’t necessarily true. The spam could come from the script, which after spamming requires the module.

Either way though, it would be very clear which script has malicious code.


Edit:
It would be nice though if the messages went into a different category so we could search for them even if there is spam.
image

(currently they go into “Log” like print statements)

17 Likes

A free model that reposts a another gun model could modify the gun controller module that so happens to be another model (like the official ROBLOX RPG models do) to spam fake require messages after some real log output from different things that will happen like the raycast debug output and then require the real module in the middle.

6 Likes

Oh that is a good point. I was only thinking of the spamming coming from the module and not the script that required it. Thanks for mentioning that!

6 Likes

The malicious script can spam enough so that the require print gets erased because there’s a limit to how many logs the console shows before it starts removing older ones so this is not true.

7 Likes

Yes I realize this which is why I mentioned:

But as another person pointed out, the printing could be from the script that required it and not the module which would be much harder to identify the module that was required.

However, I want to mention this. If for any reason your game is having this activity, shut it down immediately and review your game content. Do a recursive search through all content in the game for scripts of any type and look through them all. If you are careful enough, this issue shouldn’t really be happening in your game in the first place, but I do understand that it is easy to overlook something, especially if you are a beginner developer.

8 Likes

either way this would be far more useful a feature if it was displayed in its own developer console tab instead where there is a guarantee that it won’t ever get cut off or not shown to the user. As of right now, I’d say my own plugin I made a while back does a better job at showing what code in your game is using requires.

8 Likes

Could we have an option to disable this?

36 Likes

What effects will this have on obfuscated modules?

8 Likes

Probably none since it still calls require

5 Likes

Absolutely love this, will help a lot in reducing the spread of malicious assets!

I would, even more, love it if there was a place in the console (serverside) that would list all required modules in a specific game, so a malicious module can’t fill the server logs in an attempt to hide, as well as the order in which they were required and if they were required by another module.

Either way, keep up the great work! Love seeing these sorts of things get added.

14 Likes

This is an amazing feature and I am happy it was implemented! From what I have seen from previous replies, having these in a different printing category would make it so much easier to find the sneaky requires. I’d even love to see it in a different colour to ensure that it cannot be mistaken for a print, warn, or error.

5 Likes

Seems like those annoying require chains are finally going bye bye

7 Likes

Appreciate it. I hope that in the future the next step is allowing us to disable MainModule requires in our experiences entirely. Roblox has made a few updates in order to secure us against backdoors, but I think the most important step that should’ve been done from the start is allowing us to cut off the source to begin with and reject third party requires in our experiences if we wish.

14 Likes

allowing us to disable MainModule requires in our experiences entirely

This to the moon!
It would also be handy to have a whitelist, so games that need them are able to prevent all other module assets from being loaded

8 Likes

If require was used on a client to run a cheat script, would that print in the server side console for the developer to see?

5 Likes

Is there any way to disable this as it may be annoying for some users.

13 Likes

nope, it doesnt.

Cheats are undetectable on the client, the best thing you can do is to have your game secure by design.

6 Likes

They aren’t ‘undetectable’. Client sided anti-cheats and honeypots are a good way to weed out a lot of exploiters, particularly common cheats that are used in lots of games.

This change won’t affect cheats, and they don’t use the require(id) method anyway, generally pulling information and code from external sources

7 Likes

Honestly, this is just annoying. I don’t see where you get the idea that people actually still hide viruses in requires, in my five years on Roblox I’ve only ever seen this happen a couple of times.
This almost seems like fearmongering at this point.

6 Likes

Here’s what I gathered from feedback:

  1. Make an option to disable this or print it elsewhere / a new category so it’s easier to hide / ignore.
    – That’s a great idea. It’s owned by another team, but I’ll bring it up with them for consideration.

  2. Make a mechanism to disallow some / all requires in a per place or universe mechanism.
    – This is on our agenda, but introspection and other features come first.

  3. Provide more information about the asset than just the id (name, creator).
    – We wanted to do this, but chose not to do this now for performance reasons because the network requests needed could delay place startup.

Thanks!

42 Likes