Option to disable Ban API on experience

hoontee · July 2, 2024, 11:44pm

I currently have an experience dedicated to custom map testing in private servers.

Players will ask the game server to load their public module containing a map. Although this opens up the custom map testing experience for remote code execution, no single API has led to permanent effects.

With the introduction of Ban API, malicious actors now have the opportunity to anonymously and irreversibly lock out all players from the experience across all other private servers.

Outside my own situation; Ban API could also potentially be utilized in public modules in any experience anonymously and irreversibly.

Please, do add an experience setting to disable Ban API, ASAP.

Brylan_Leske · July 2, 2024, 11:46pm

You need to secure your game better if you dont want that happening. Sandbox the user code, or not allowing it to run would do the trick.

hoontee · July 2, 2024, 11:48pm

The entire experience is the sandbox. It has worked up until now.

Brylan_Leske · July 2, 2024, 11:54pm

You should not be doing that, it gives the player the ability to mess with datastores, replicate unfiltered text, etc to to other clients.

But, I do see how your request makes sense for your case.

A workaround that should work in the meantime could be to run GetBanHistoryAsync every so often and remove all bans.

hoontee · July 2, 2024, 11:56pm

GetBanHistoryAsync accepts a UserId to check its ban history; there is no API - and by extension, no ban detection methods - to discover who all has been banned, unfortunately.

DataStores go unused in this environment and unfiltered text is both the fault of the map maker and can only ever display to whoever is in that private server with the map maker.

SoCalifornian · July 3, 2024, 3:52am

yeah I agree, this is not a Roblox issue, this is purely a system design issue. Regardless of whether issues have happened so far or not, it is up to you to sandbox module execution and not up to Roblox.

This is a very weak use-case because it’s built on insecurity and is applicable to a very small set of users (potentially only you in this instance)

NPCPlayer2421 · July 3, 2024, 3:55am

Also OP, you shouldn’t trust the client in anyway in Roblox, consider making a level-editor with people loading their own levels using JSON data they can paste into some TextBox, and have custom maps load/spawn logic that the game already has scripted, you can still have unsecured code if you want but having unsecured code run on a multiplayer game is very risky so i don’t recommend unless it’s entirely singleplayer and other players can’t affect each other.

So TDLR; make a level editor that allows users to only spawn props and pre-existing game logic

SoCalifornian · July 3, 2024, 3:56am

Support, some games don’t need Ban API and maybe have it enough with a vote-kick systems

Then just don’t use it. There doesn’t need to be a disable.

NPCPlayer2421 · July 3, 2024, 3:56am

Oh yeah, i prob should edit my comment

Brylan_Leske · July 3, 2024, 4:17am

You’re right, it doesnt seem like there is a work around for any in-game systems at this point in time, my bad.

If the problem is something your experiencing currently and desperately need a fix, i.e. you have already discovered players abusing this api and wish to stop it, this cloud api endpoint may interest you.

You’d have to host the code yourself, but this should get the recent ban logs…
https://apis.roblox.com/cloud/v2/universes/{universe}/user-restrictions:listLogs?maxPageSize=10&pageToken={string}&filter={string}

debugMage · July 3, 2024, 4:27am

This is such an incredibly interesting problem.

A feature so unprotected that people ask for a way to disable it. However, this is not unheard of, so I can see it being added.

This feature should have an optional lock to prevent abuse in sandbox experiences or ones with backdoors. It needs the same security as HttpService, Loadstring, and 3rd Party Teleports.

hoontee · July 3, 2024, 4:28am

So there is API, just not accessible in-game. I can certainly benefit from this - thanks for sharing!

hoontee · July 3, 2024, 4:31pm

I made a temporary workaround in Node.js which completely wipes all active bans in an array of experiences:

wipe-bans.txt (2.5 KB)

hoontee · July 5, 2024, 8:46pm

Checked bans today and yes, it’s being abused.

Homeomorph · November 13, 2024, 7:36pm

@hoontee have you seen this? I wonder if you can use this to prevent UGC maps from accessing sensitive APIs

EDIT: I just saw your reply on that thread! I hope we can get this working for you soon.

hoontee · November 14, 2024, 2:14am

Yes, the Script Capabilities feature has negated the need for this feature request, so it should be closed.

(Definitely looking forward to that sandbox escape fix!)

hoontee · November 14, 2024, 2:44am

I just noticed Players.BanningEnabled was added yesterday, and although I can disable it in the Properties pane, it has no effect.

Regardless; I’m going to mark this as the solution since it’s being implemented!