|
| 10 May 2017 11:06 AM |
| I would like to start by saying this thread was made so I can learn how to prevent or protect against this. There are currently 3 methods that I've heard of for overriding globals. And no I'm not referring to _G. I mean literally overwriting server globals. For example, I override the print() function and instead make it call warn() so anyone who then called print() it would warn instead. I have also seen people overriding the #### Service to prevent players from using it by making Posting etc returning nil or an error(). Please reply if you know how to override globals or have a way to detect it so I can keep some of my Modules safe. (People have overridden #### and gotten keys, Datastore keys, even stolen source directly.) |
|
|
| Report Abuse |
|
|
TimeTicks
|
  |
| Joined: 27 Apr 2011 |
| Total Posts: 27115 |
|
|
| 10 May 2017 11:37 AM |
You shouldn't be doing that. just call warn when its a warn and print when its a print. Or just do it the easy way and make your own custom function. Duh
Just store modules in server storage.
|
|
|
| Report Abuse |
|
|
|
| 10 May 2017 11:46 AM |
| The issue is it's a Module free for public to use via require. In the past and currently I've had issues with overwriting globals, however, very few people know how to it is still concerning for the security of my module. |
|
|
| Report Abuse |
|
|
TimeTicks
|
  |
| Joined: 27 Apr 2011 |
| Total Posts: 27115 |
|
|
| 10 May 2017 11:47 AM |
Security about modules is not of any concern. Storing them in serverstorage is perfectly fine since clients do not have access to it.
|
|
|
| Report Abuse |
|
|
|
| 10 May 2017 11:51 AM |
| Because anyone can require the module if they require it in a sandbox they made they can control what it has access too. This normally isn't an issue but if their custom environment includes override globals they can log my requests to services and get website keys and tokens. |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 11:57 AM |
It's not like it's a part of my game. Anyone can use it and they can do some pretty sketchy things to instance the module by catching errors and using Clone and SavePlace to get the module and all its decendants.
(Ignoring the fact roblox now clears the source of the main module) |
|
|
| Report Abuse |
|
|
W8X
|
  |
| Joined: 20 Jan 2014 |
| Total Posts: 683 |
|
| |
|
|
| 10 May 2017 12:05 PM |
| That would only change the environment of the script that is run in not the global environment |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:11 PM |
local function print(s) warn(s) end
print("this message should appear as a warning") |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:13 PM |
| That's just a longer way to the previous response... |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:15 PM |
Guys I'm not talking about changing the local environment like
local print = warn
print'ok'
I mean overriding the global environment as in every script |
|
|
| Report Abuse |
|
|
W8X
|
  |
| Joined: 20 Jan 2014 |
| Total Posts: 683 |
|
|
| 10 May 2017 12:24 PM |
uh you could maybe make a plugin that modifies the source of every script and localscript to have something like setfenv(0,new_env) and the start
|
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:37 PM |
You can't run a script in a sandbox like that. Try to understand what the issue is before you try to fix it.
|
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:39 PM |
| The sandbox was just an example. The problem is people overriding the # t t p service and logging my keys and tokens to my website and changing stuff. |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:42 PM |
Tell me how they do that and I may be able to help.
|
|
|
| Report Abuse |
|
|
|
| 10 May 2017 12:51 PM |
| That's the problem, I have no idea how they access the global environment let alone edit it. |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 01:00 PM |
Are they viewing the source of the script? Because if you didn't protect it, that is easy to do.
Let me help.
local script = script script = nil
Put that at the top, that will protect you against the most common and easiest way to take the source of a copylocked ModuleScript.
|
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 May 2017 02:13 PM |
What you want to do is "impossible" on Roblox. I quote impossible because there's been a bug that has existed for years (and still exists as of a month ago) that let's you steal the metatable of the script's global env. and actually overwrite built-ins. |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 04:15 PM |
| Yeah I know it's a bug but I also know are are currently 3 different methods to getting the enviroment. Also, yes I already do something similar to "local script=script;script=nil" |
|
|
| Report Abuse |
|
|
|
| 10 May 2017 04:17 PM |
| I only kniw ghere a few different methods but don't know how to use any of them nor protect against them. |
|
|
| Report Abuse |
|
|
|
| 25 May 2017 09:24 PM |
Do you know how to do this method and are you willing to share?
|
|
|
| Report Abuse |
|
|
|
| 25 May 2017 09:25 PM |
local This_Module_Holds_My_Global_Variables = require(module) local _ENV = getfenv() for name, value in next,This_Module_Holds_My_Global_Variables do _ENV[name] = value end
print( myGlobal ) |
|
|
| Report Abuse |
|
|
|
| 25 May 2017 09:26 PM |
--module
return { test = function() print("a ok") end; }
--test() should now work when u run the other one |
|
|
| Report Abuse |
|
|
|
| 25 May 2017 09:27 PM |
...or just simply:
global1, global2, global3 = require(module)
|
|
|
| Report Abuse |
|
|
|
| 25 May 2017 09:27 PM |
To fit the example you posted:
global1, global2, global3 = unpack(require(module))
Just don't make it a dictionary.
|
|
|
| Report Abuse |
|
|