Added rawget and rawset functions #321
Conversation
|
This is unsafe as is. This would very likely make it possible for a script to break out of the sandbox. Which is why these were never included it would be too risky to try to make these safe. |
|
I have been testing this quite a bit. The only things that players can use to break out of the sandbox ( to my knowledge ) are the library tables themselves and the wrapped starfall types. While I am not fully certain as to how sanbox-proof this is, I do know that all starfall defined types have their metatable.__metatable as a string. Even with rawget/set one can't access the __(un)wrap function inside the metatable. Properly wrapped objects shouldn't have any indices that directly access their unwrapped counterpart. The same goes for library tables, you can only rawget the starfall defined functions themselves or any other index assigned to the library methods variable. running getmetatable only returns "Library: x" You cant really inject any code into a library function either because the only methods that you could inject into them would be ones generated into the starfall sandbox. Even so, the variables that get passed to the library functions are wrapped, as they originate from the sandbox. The worst that a player could do with rawget/set is fuck up a library function and make it so the client / server will have to reconnect / restart to fix the problem. This being said I am probably missing something and this would be a terrible addition when it comes to the safety of the sandbox. EDIT: Even _G's metatable is "Environment" |
No description provided.