search

rojo-rbx / rbx-dom

Roblox DOM and (de)serialization implementation in Rust
MIT License
117 stars 48 forks source link

Add documentation for SecurityCapabilities #460

Open kennethloeffler opened 1 month ago

kennethloeffler commented 1 month ago

Back in #358, we added bare-bones support for the SecurityCapabilities type. At the time, this data type did not have any user facing functionality, making it impossible to infer the meaning of its bits. So, we opted to treat it as an opaque integer, and did not create any documentation.

Since then, Roblox has released Script Capabilities as a beta feature, so we should be able to start poking at values of this type, and determine the meaning of the bits. Capabilities is a set of bools that dictate whether a script has the ability to perform certain actions, so this type is probably a bit field, with each bit corresponding to a specific capability.

One interesting note is that while capabilities are only available in the properties widget on Folder, Model, and Script instances (and instances of their subclasses), the Capabilities property exists on every Instance. This could mean that Roblox once planned that any instance could define capabilities, or that they will in the future.

I'm not sure if we should implement anything against our findings until the feature leaves beta since it's possible that exact details may change, but this won't stop us from getting a head start on documentation!

Dekkonot commented 4 weeks ago

Based on this devforum post we probably want to wait on implementing it, yeah.

Documenting it is probably fine though; it'll if nothing else be interesting to see if it changes and how it changes.

EpixScripts commented 3 weeks ago

The capability bits as of v648 are:

0: Plugin
1: LocalUser
2: WritePlayer
3: RobloxScript
4: RobloxEngine
5: NotAccessible
8: RunClientScript
9: RunServerScript
11: AccessOutsideWrite
15: Unassigned
16: AssetRequire
17: LoadString
18: ScriptGlobals
19: CreateInstances
20: Basic
21: Audio
22: DataStore
23: Network
24: Physics
25: UI
26: CSG
27: Chat
28: Animation
29: Avatar
30: Input
31: Environment
32: RemoteEvent
61: PluginOrOpenCloud
62: Assistant
63: Restricted

Notice how only some of the Luau Enum.SecurityCapability EnumItems map to this bitfield. The lowest 8 bits map to what was previously identity permissions.

kennethloeffler commented 3 weeks ago

Hey @EpixScripts, thanks for your investigation, but we need to be careful about how we go about reverse engineering for this project. Viewing decompiled code risks violating Roblox's copyright, so we don't do that here.

The way we typically reverse engineer additions to the format is by using Roblox Studio to save rbxm files, then using the tools we've developed to dissect the artifacts, and to create new "weird" ones to see how Roblox Studio handles them. That way, we aren't creating a derived work.