git-learning-game / oh-my-git

An interactive Git learning game!
https://ohmygit.org
Other
2.04k stars 146 forks source link

Issuing commands may delete stuff on the real file system #135

Open s2k opened 2 years ago

s2k commented 2 years ago

It seems to me that (accidentally) issuing dangerous commands may delete stuff on the real file system on the machine the game is played on.

For example entering "rm -rf /" (don't do that, no-one would do this, except, maybe a tester…) first causes a long list of messages inside the game, and then outside the game files are lost (i.e. configuration files for the shell, and other user specific stuff).

Thankfully macOS pretty much prevents system files from being lost, but still a good amount of harm can be done.

I'd expect a learning game/platform to protect unaware people (well, or testers) from doing this, by (for example) using a virtual file system, so that real files/folders cannot even be reached from within the game.

How to reproduce

  1. I reproduced the behaviour on a virtual VM (I used VirtualBox with a newly installed Fedora distribution on my Mac).
  2. Download the (Linux version of the) game from https://blinry.itch.io/oh-my-git
  3. Unzip zip file
  4. Open file system browser and navigate to unzipped folder (oh-my-git-linux)
  5. Double-click oh-my-git (see screen shot). start-omg-game
  6. Start any level, i.e. 'Living dangerously'
  7. Enter some commands in the prompt displayed in the game. (see screenshot) entering-commands-in-omg
  8. The shutdown now is where the danger lies: It actually shuts down the computer.

Real fun can be had when running other commands (see above), since every location on the file system that is accessible by the playing user can be reached – and deleted.

Again: For a learning game, I expect user sbeing protected against themselves.

array-in-a-matrix commented 6 months ago

I ran rm -rf /* assuming I would find a hidden easter egg :trollface:, restoring from a backup rn.