Possible security issues on load scenes from 3rd part

:information_source: Attention Topic was automatically imported from the old Question2Answer platform.
:bust_in_silhouette: Asked By Phyron

Hi there!

I have a security question, I will try to explain to the best of my ability, but I am quite a novice in security matters.

I have an multiplayer online game, with a dedicated server. And I would like players to send me a simple godot exported scene, with a node containing a 3d object (.obj).
That scene, I would send it to the other players to load in their session.

The question I have is that this circuit may have security problems. Could malicious code be injected into the scene? From what I understand, in the .obj, if I control its load, if they inject code I can block it. But in a scene file I don’t know.

Of course, I would control that the scene does not contain any other node or script, that is not for example a Spatial node, with an .obj object and a texture for example. If I didn’t meet that requirement, I wouldn’t send it to the players.

And in the event that it was a more complex scene? for example with some lights or something. Always considering the scene without scripts.

:bust_in_silhouette: Reply From: Ertain

If the player can send a scene that they’ve entirely created in their program (i.e. a program not made by you), then it can have malicious code in it. A good way to prevent them from injecting malicious code is to write the client application and only have the user interact with that version. Check that this client app is the official version (if necessary, use hashes to verify that the files are genuine). Instead of making the client, most of the content could be made on the server. The users have a small application which sends all of its data and commands to the server. That way, there’s little doubt what code is running on the other user’s machines. One of the downsides to this, though, is that the server will need to handle most of the processing for the users. Also, the users will need to have good connections so that the state of the game can be synchronized.

If I understand you correctly, you comment that if they use their “own” Godot fork, they can inject malicious code. So you should force them to use the version I want and check it with the hash, is this it?
Then again, I just found this !:
Godot Editor running in a web browser

It would be a very good option, right? create a .tscr scene in godot on web, which will be the version without modifications

Phyron | 2020-07-26 12:04

Yes, creating your own client, and checking for that version would be a good option to make it more secure.

You can also go with the web browser option to control nearly every aspect of the scene creation. One of the benefits of having it hosted in a browser is that the users can easily create the scene and upload it to the server. But as I wrote before, the server will have to handle most of the processing.

Ertain | 2020-07-26 16:35