Open Bod9001 opened 3 years ago
private static void SanitizePrefab(GameObject prefab)
{
System.Type[] badComponents = new System.Type[] {
typeof(UnityEngine.EventSystems.EventTrigger),
typeof(Bolt.FlowMachine),
typeof(Bolt.StateMachine),
typeof(UnityEngine.EventSystems.UIBehaviour)
};
foreach (var componentType in badComponents) {
foreach (var component in prefab.GetComponentsInChildren(componentType, true)) {
DestroyImmediate(component, true);
}
}
}
public static Object SafeInstantiate(GameObject prefab)
{
SanitizePrefab(prefab);
return Instantiate(prefab);
}
public void Load()
{
AssetBundle ab = AssetBundle.LoadFromFile(Path.Combine(Application.streamingAssetsPath, "evilassets"));
GameObject evilGO = ab.LoadAsset<GameObject>("EvilGameObject");
GameObject evilBolt = ab.LoadAsset<GameObject>("EvilBoltObject");
GameObject evilUI = ab.LoadAsset<GameObject>("EvilUI");
SafeInstantiate(evilGO);
SafeInstantiate(evilBolt);
SafeInstantiate(evilUI);
ab.Unload(false);
}
update I did some testing and I can't seem to get the, download portion to work though it still allows the downloaded game object to run any executable on persons computer that unity has permission to run,
suggested best course of action is just patch the https://github.com/Unity-Technologies/UnityCsReference/blob/master/Runtime/Export/UnityEvent/UnityEvent.cs#L882
in it's DLL to not be dumb and not access static instances/require a game object as well making it so it has to be nonstatic is a good first step
https://blog.includesecurity.com/2021/06/hacking-unity-games-malicious-unity-game-objects/
from what I've researched unity is not going to do anything about this at all... Since Unity doesn't seem to be fixing this in anyway,
the suggested solution inside of the post, seems like a good compromise tho however it will break UI components since they use Unity events, could be expanded to check the events and see if there bad or good
the same for the Visual scripting language, checking for bad components in the future we might want to implement a visual scripting language with the Unity addressables for basic client Modding
This function for cleaning up the spawned addressable content would be part of the clean Dlls
the real problem is these can be included in built clients, is built in prefabs, continues in #7158