search

rbxts-flamework / core

Flamework is an extensible game framework. It requires typescript and offers many useful features.
MIT License
101 stars 8 forks source link

Better runtime guards #74

Open Fireboltofdeath opened 1 year ago

Fireboltofdeath commented 1 year ago

Switch from @rbxts/t to a more powerful custom system which can include richer errors (e.g explaining what fields were incorrect), allowing recursive guards (but not cyclic) and including debug information (such as type names) (check plans)

This should also support incremental instance tracking so that modules like @flamework/components don't have to do full type checks.

Should incorporate with #28

howmanysmall commented 1 year ago

Should also make it so the server type guards are only accessible on the server because it makes it significantly easier for exploiters to reverse engineer the code.

Found by @TheGreatSageEqualToHeaven.

Fireboltofdeath commented 1 year ago

because it makes it significantly easier for exploiters to reverse engineer the code.

Out of curiosity, what reverse engineering are you concerned exploiters will do? The type guards shouldn't really expose much valuable information on their own.

TheGreatSageEqualToHeaven commented 1 year ago

what reverse engineering are you concerned exploiters will do?

Aside from just knowing what arguments you can pass which helps reverse the game, it stores every remote that you could possibly fire and their associated arguments, and it can also be used to leak in-development updates that are not publicly known.

In HowManySmall's game the events are obfuscated (actual event name hidden as to not get an angry message) and can be easily reversed using the events module either by matching the specific types or by lazily matching constants, if the events were shuffled then the lazy matching would not work however matching the types would work aside from a few that would have the same types but that can be accounted for by matching them from scripts where they are used, if server guards were only accessible on the server then matching them from actual scripts would be the only way to find them and you wouldn't have any information on how to use them apart from looking at the decompiled script. (example below)

image image

local constants = debug.getconstants(getscriptfunction(ReplicatedStorage.TS.events))
local DeobfuscatedNames = {}
DeobfuscatedNames["redacted"] = constants[64]