Coder Social home page Coder Social logo

h6x's Introduction

H6x

H6x is a script sandboxing tool designed with compatability and security in mind.

Here be dragons

If the security of your game's data/playability is a concern to you, please take a moment to read the following carefully before you proceed, and make considerations.

While H6x itself is designed to be secure as a sandboxing tool, that does not mean that insecure/improper usage is impossible and can't exist.

H6x is merely a tool for constructing sandboxes & environments to run trusted, or untrusted code in. While it intends to be user friendly, and make it easy to securely execute untrusted code, you should be aware of the risks of doing so, and the ways in which you may provide unwanted access to pieces of your game.

Avoid providing more than you explicitly intend to provide. For example, if you intend to allow users to create mods for your game, it is recommended that you create a unique and entirely separate API that interacts with internal ones indirectly. You should avoid letting untrusted code interact directly with important code, and you should sanitize function arguments.

Metatables and function environments (fenvs) are important to take into account if security is of concern to you. When you call H6x APIs, H6x executes code inside of individual container scripts, which stops user code from accessing caller envs by simply taking advantage of Roblox's own functionality, but, calling user functions directly without the use of H6x APIs can allow access to your caller scripts' fenvs. If you want to be extra safe, you can always disable these features if you don't intend to let untrusted code use them.

Getting Started

Importing H6x

  1. Download a release from releases, build an rbxm with the steps in Building from source, or see Integrating with Rojo projects.
  2. Import the rbxm into your game.
  3. Run the game, and ensure that H6x does not display any errors in the Output view (Roblox Studio -> View -> Output)

Setting up H6x in your game

TBD

Integrating with Rojo projects

Alternatively, H6x can be integrated directly within your Rojo projects. Simply place H6x somewhere outside of your project tree, and target default.project.json:

{
	...
	"H6x": {
		"$path": "../path/to/H6x/default.project.json"
	}
	...
}

You can do this from another project file inside of your src tree, or from your main project file.

Building from source

To build H6x, first install Rojo, or use Foreman, and run the following command once you have cloned the repository:

rojo build -o "H6x.rbxm"

For more help, check out the Rojo documentation.

h6x's People

Contributors

hexcede avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

h6x's Issues

[BUG] Global table semi-shared by default

Describe the bug
As demonstrated in #8 globals from tests end up in the base environment the sandbox uses. This is not necessarily a security concern but is potentially confusing behaviour as it is the default and providing custom base environments is not super clear.

To Reproduce
Steps to reproduce the behavior:

  1. In a sandbox, print the caller fenv:
print(getfenv(2))
  1. Notice the globals from tests (as seen in #8).
    image

Expected behavior
By default, writing to the global environment from a sandbox would not be expected to modify the base environment. This can be solved by using another layer for the Environment object for storing raw changes, rather than transferring them to the base environment.

Version information (please complete the following information):

  • H6x version: v0.0.x-v1.x.x
  • Beta features enabled: All beta features

Additional context
See #8

Calling a userdata object (not Instance) results in an unexpected error with Util

Describe the bug
Calling a user data object with the metamethod __call fails to check whether it's a C function, results in an error using debug.info with argument 1.

To Reproduce
Steps to reproduce the behavior:

  1. Create a module script that returns a user data object
  2. Require the module and attempt to call the returned user data
  3. Expect to see a bug similar to this
    Bug image

Expected behavior
Calling it must not encounter an issue with user data

Version information:

  • H6x version: v2.1.0
  • Beta features enabled: Parallel Lua

Example compatability issue

This is an example of how you might word or structure a code compatability issue. You don't have to do it exactly this way but it's helpful. This was a real bug encountered in-dev before the release of v1.1.220607.

Describe the bug
This code causes H6x to hang Roblox.

To Reproduce
When the code runs, sandbox:GenerateActivityReport causes a hang.

This code demonstrates the issue as best as possible and is as small as possible:

local sandbox = H6x.Sandbox.new()
sandbox:ExecuteFunction(function()
	abc = function(a, b)
		return b, a
	end
	b, a = abc({ABC = abc}, 2)
	a.ABC(4, 5)
	a:ABC(8)
end)
sandbox:GenerateActivityReport("h6x") -- Caused by this (commenting this line makes the code work)

Expected behavior
The code runs correctly without hanging.

This code demonstrates the expected behaviour when ran outside of the sandbox (leave unchanged if N/A):

CODE HERE

Version information (please complete the following information):

  • H6x version: v1.1.220607
  • Beta features enabled: All beta features

Additional context
After investigating the issue and debugging it myself, the hang is caused by a table.find call inside of sandbox:GenerateActivityReport(). table.find does regular == comparison, which causes a new log entry to be created before sandbox:GenerateActivityReport() is finished, resulting in the pairs loop on log history to never complete.

Global table vulnerability?

There's a vulnerability inside user code where it can mess with the global H6X.

Reproducing the bug

  1. Server Runner executes user code
warn(getfenv(2))
  1. Bug occurs with the global table

Expected behavior
Prints out the global H6x table

FX Script 327713710-734a0c06164e71:  ▼  {
                    ["globalH6x"] =  ▼  {
                       ["Constants"] =  ▶ {...},
                       ["Environment"] =  ▶ {...},
                       ["Logger"] =  ▶ {...},
                       ["Reflector"] =  ▶ {...},
                       ["Runner"] =  ▶ {...},
                       ["Sandbox"] =  ▼  {
                          ["Empty"] =  ▶ {...},
                          ["Plugin"] =  ▶ {...},
                          ["Roblox"] =  ▶ {...},
                          ["User"] =  ▶ {...},
                          ["Vanilla"] =  ▶ {...},
                          ["new"] = "function"
                       },
                       ["SandboxActivity"] =  ▶ {...},
                       ["Testing"] =  ▶ {...},
                       ["Util"] =  ▶ {...}
                    },
                    ["globalSandbox"] =  ▶ {...},
                    ["globalThing"] = "someNotVerySpecificString",
                    ["script"] = Sandbox,
                    ["testMulti"] = "function",
                    ["thread"] = "Thread(24B3FD890F8)"
                 }

Screenshots
image

Version information (please complete the following information):

  • H6x version: v0.0.220515
  • Beta features enabled: Parallel Lua

Additional context
I wasn't sure if this bug was necessary or not in terms of allowing user code to access the global H6X table. I wanted to point this out because it could access H6X module and possibly tamper its functions.

[CRITICAL] Roblox update broke?

Describe the bug
This error has popped up unexpectedly and was reported by one of my users.

To Reproduce
Steps to reproduce the behavior:

  1. Run security test
    image

Version information (please complete the following information):

  • H6x version: 2.1.1
  • Beta features enabled: Parallel Lua

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.