What are the risks of Loadstring Enabled?

xJxck_yy · July 23, 2020, 5:29am

Hi Developers,

I own a product SmartOrders. Its a cafe ordering system, that gets distributed to the public via licensing.

I was wondering, what are the risks of Loadstring Enabled? As it would be nice to just hold the code on an external server, instead of running it on Roblox servers.

Please don’t tell me just the exploits associated with it, I need to know cons and pros.

sjr04 · July 23, 2020, 5:34am

loadstring alone isn’t inherently dangerous, but the “dangers” of it are hyped for some reason. It is mostly dangerous when you have a remote that allows for clients to send strings and run that string as code. The idea of running arbitrary code is dangerous.

But for your case it should really be fine.

If you are just grabbing it from some website via a GET request someone can just see the website the game makes a request to.

rogchamp · July 23, 2020, 5:57am

The main concerns are trying to sandbox code. If you want to include a string from the client, say like this:

loadstring('print("' .. varFromClient ..'")')

… it’s easy to break out of the “sandbox” with a string like ' " workspace.whatever:Destroy() " '. If you entirely trust your source, there’s no big security flaws, but it’s rarely necessary to use loadstring.

0x_7777 · July 23, 2020, 9:23am

Keep in mind, you can execute ‘arbitrary’ Lua code in Roblox by simply using a Lua interpreter written in Lua.

colbert2677 · July 23, 2020, 10:07am

LoadstringEnabled is only dangerous if you make it dangerous by having poorly structured systems.