Show 3rd party required modules (ID and source scripts) and offer option for disabling 3rd party dependencies

As a Roblox developer, it is increasingly difficult to discover/remediate/patch vulnerabilities and exploits in our experiences. For every step we take to remediate/patch our experiences, the creators of these malicious tools are two steps ahead.

Previously it was easy to discover if your game had a module in it that was vulnerable (By searching for ‘require’ w/find all scripts, and seeing if there was unrecognized modules/asset IDs that were linked to external modules published to the Roblox website). Because of the nature of modules published to the website, you cannot view the source of these questionable modules, and how they affect your experiences.

As of recently, these bad actors have improved their methods to avoid detection. Using getfenv/setfenv, string concatenation, and other methods, they are becoming increasingly difficult to discover.

Even worse, if your game relies on 3rd party assets being inserted at the runtime (Such as loading models owned by the group owner of an experience into the game), it introduces another attack vector where malicious actors can insert scripts/modules into these models, which are impossible to detect until it’s too late (Unless you analyze the models by hand and in a non-runtime environment). Malicious intent by an internal party (Such as a developer who inserts malicious code willingly and intentionally) is seldom the case, as 3rd party plugins can insert modules/scripts into random models that are buried deep to avoid detection.

I propose that Roblox adds three features to Roblox Studio (And the runtime environment) to assist us developers w/closing off vulnerabilities + active attacks against our experiences.

  1. I request that Roblox add a feature into Roblox Studio that shows you what 3rd party assets are being utilized w/external resources (Either via insert service or require w/a 3rd party asset ID). It could be like the find-all feature, where it shows all external dependencies are being used, what asset ID is being used, and the full path of the script/module in question.
  2. There should be an option in Studio (Similar to how you can turn off HTTP requests) that blocks requiring 3rd party modules (Uploaded to Roblox) from being required from the website. An exception could be allowing modules uploaded to the website (For the owner of the experience/group that owns the experience), but in my opinion, modules w/packages would supersede the need for that.
  3. In the runtime (Server/client-side) w/the logs, I believe it would be wise to print in the output (As a warning, to easily identify the logs) if an external 3rd party module is being required from the website, and the source of it. The reason for this is so assets that are inserted in the run-time (Example being a 3rd party asset inserted at the game’s run-time) are able to be traced.

If Roblox were to implement even a fraction of these changes, I believe it would assist us developers w/protecting our experiences from malicious actors.

Thank you for taking the time to read my proposal, feedback is appreciated!

15 Likes

I definitely support a ThirdPartyModulesPolicy type of property, with Deny, Warn and Allow options. Existing games should use Warn, and new games should default to Deny.

Unfortunately, it would take very complex static analysis to even partially detect usages of functions (e.g. require(12345) or InsertService:LoadAsset(12345)) that could potentially run 3rd-party code. And emitting a warning only once attempted might not even be enough, as there’s no guarantee that insecure code would even attempt calling such functions. It’s for this reason a warning might not be better than an outright rejection.

Allowing us to explicitly specify a list of asset IDs-version pairs would be best. It’s the far-more-convenient equivalent of inserting at edit time and re-uploading it as our own.

6 Likes

I second this. I have been wanting a popup window for alerting the user that there is a script in the free model they are inserting into their game for a long time.

With the use of set/getfenv and other methods such as LoadAsset, loadstring and web calls, it has become increasingly harder to catch malicious things.

I think if Roblox were to introduce a firewall type system, similarly to how Ozzypig stated above, it would improve the overall security of games on the platform.

Maybe Roblox could have a system which statically analyses all of a game’s codebase (on button click, for example) and then spits out all of the scripts, with their line numbers, which perform web calls, whether third party or Roblox API calls. Anything that isn’t a default Roblox function of course.

Thank you for implementing this, Roblox staff! :grin:

3 Likes