I like this roblox proposal it is a great way to try to patch the virus in the free models. tbh I don’t use free models because of that. way to go roblox.
The only thing I would like is the ability to hide certain forms of http requests when I share my code. If I am accessing a MongoDB for data information and it is using a react api, I don’t want anyone to see that api key. I’m fine with them seeing the url because what use is to them if they cannot do anything with it, but accessing it is another story. So I’m not sure what is the best course of action for that? I think that is the problem @SquirrelByte is having with terabyte. I have no problem giving up closed source modules, because frankly it is a huge security risk, but speicifc things like http requests, or at least the api keys, headers and bodies, need a way to be hidden, even in a public model, or the original creator’s backend is completely vulnerable.
This will absolutely not stop any free model virusses, usually free models don’t even use private modules.
Its generally bad practice to keep API keys in plain text anyways.
In a regular game, any http stuff is in SSS so no one can get to it. With that being said, you need to keep stuff visible from now on and if you want to have a public model that requires the use of http service and an api key, what exactly would you do?
I will always be against this proposal due to the fact there is a multitude of better ways to handle this. For instance, you just released a thread on a Vulnerability (Script Injection Vulnerability - #60 by colbert2677), and why can’t there be a plugin/tool made by roblox to detect specific require() that call in a module? i.e search through scripts, and if there’s a require(1234) it’ll notify the user of the location? There’s still that great idea of AllowThirdParty if the user wants to Opt In and trust what they use, otherwise they can opt out and go about making their own stuff.
I think the primary issue is if a developer “went rogue” per say, or eventually had a plan to mess up large masses of games, they could have a perfectly safe module at first, but then modify the code at some point to allow access to the server or just destroy a game outright. Then what do you do besides removing it? You still had that vulnerability for that period of time.
Ctrl + Shift + F exists. I doubt Roblox is going to blacklist specific modules when they can delete the malicious asset anyway.
There will always be that issue, but it is up to the owner to trust. If they feel like it’s causing it, opt out. Use your own stuff.
Mhm, but where I’m getting at is Plugins as well. You can always grab the plugins source and all, but a lot of people don’t know how to do that.
Yes, but like already said here, this can be bypassed by not using ‘require’
Not even mentioning that that feature doesn’t even work for everyone
There have been several PSAs to check what plugins you’re installing, and this
does not change. Plugin, module, or model, it’s your duty to check over what is used in your game and report malicious assets.
Generally? Don’t use API keys in public code. If you’re doing that, you’re almost certainly doing it wrong. If you have to for whatever reason I would love to see the use case for that.
Like Colbert said, it’s all but impossible to automatically detect a function in Lua because you can obfuscate it so thoroughly. You would need to pre-process the script and as far as I know no one has built a way to do that with Lua automatically yet
Let’s say I open soucre my admin panel. Currently I have it connect to a database and check for moderation actions so I can have a synced moderation list over multiple group games. Now let’s say I open sourced the panel, but didn’t nessesarily want to open source the actual backend. How would I go about that? Have it so each developer creates a unique api key using a web portal and then puts that in their game? That seems overly complicated and ilnessesary.
In that case I would say you should use a public module to host a list of the moderation action and use public endpoints on your database to get information about those specific actions. You don’t need to have the backend public, but unless I’m missing something you shouldn’t need to have it public to get a list of moderation actions, seeing as they’re already public in the panel.
This is ignoring the fact that you’re publishing something and open-sourcing it so you really should expose the backend, and that you’re asking people to put an admin panel in their game that they can’t see the source to.
I am really against removing module scripts. If they were to remove it they should at least give us something back, as a compromise. There’s a reason why people do not want to give away their source code, like @SquirrelByte is talking about.
Sure (the ones of you who wants module scripts removed), you want it back. But, are you using module scripts made by others, are you waiting to use module scripts until they have been open-sourced or don’t you use them but still want them removed?
(This is not meant to harass anyone, just wondering) If Roblox wants us to open source our module scripts so everyone or no-one can use them, well, why doesn’t Roblox open source Roblox Player or Roblox Studio? Exactly, they can’t, it would reveal wild secrets that we should not know about, and this is how I, as a Roblox developer, feel as well.
Also the fact that a ‘solution’ is coming late in the year isn’t much of a solution. Some people make their most profit off of private modules being their source of business, and this is ripping them off. IF they offered the Opt in/Opt out at least the week they remove modules, I’ll be fine with that.
I think to be honest that an AllowThirdPartyModules option would be best. This would be set to false by default, making the ones that don’t know the risk safer from malicious ones.
I totally agree! I can see the need to remove it due to most of the front-page game creators being inexperienced devs(no offense but come on, tycoons and adopt me games are front page?) and these games being easy to target.