Hello all. I've made a simple script that attempts to block most backdoors by blocking them from running code in net receivers and http calls. The addon may break other addons, especially any with a dumb DRM that runs code from a website. Please note that I will be unlikely to help you fix compatibility problems, though if you post the addons either on the workshop or on here I may attempt to fix it in my spare time.
Workshop Link:
https://steamcommunity.com/sharedfiles/filedetails/?id=1508371324
Hello, what that script make?
I have read but..
Block the http, but what ?
these always work out well
>This can break some of your addons
Just... wow.
This is honestly a really poor solution. Not only do you override a core Garry's Mod file on the server and client which now makes this addon prone to breaking to game updates, you just flat out remove the functionality of RunString, CompileString, and CompileFile in net and HTTP callbacks, which indeed breaks a lot of addons. You should instead just log whenever and wherever they're called so the server owner can investigate the use-case themselves.
You also seemingly have trusted_receivers and whitelisted_urls tables for bypassing your override, but they're undocumented and local, meaning anyone who just uses this straight off workshop will have no idea they exist nor any method to add to them.
It is a nice idea but to be honest I think this is too much of a hassle for what it does.
I do kind of wish it was possible to completely disable those things, particularly http, on your own client in a way that couldn't be reversed by the server.
Well, I got the idea for overriding the init.lua file from (insert clientside anti-cheat). Yes i remove the functionality which breaks addons, I'm not sure I'd say a lot because I don't know of many that RunString/CompileString in http/net receivers except DRM and anti-cheats maybe. I may go ahead and add an option to choose between logging/blocking because it sounds like a good idea, and default to logging.
The reason the trusted tables are local is because if they're global than any backdoor could easily insert itself into the list to bypass it, making the whole thing useless, I may make a config file for those, using a file extension that can't be written to from Lua to protect it, but I really don't think making it global would be a good idea.
This addon is so bad... installing it literally destroys all gmodstore addons with DRM or legit statistics
well done...
I don't really see the point in something like this, If you end up with a backdoor on your server you're doing something seriously wrong.
Not necessarily. Servers have a lot of addons, most of which are automatically updated. In the past we have seen several popular addon creators go rogue after gaining a significant following.
That is true but to avoid workshop toxicity you can manually extract each addon in it's non-backdoored state and scan any updates for potential threats
1) We already knew that, I said it'd break things like that in the original post.
2) If an addon's "legit statistics" needs to run code from a website they're doing it wrong.
3) Addons with DRM that runs code from a website are doing it wrong, and nobody likes DRM in the first place.
this addon is like using a sledgehammer to kill a wasp; the wasp will probably die but now half your living room is broken
I still haven't found any addons this breaks, aside from backdoors, I'd love some examples so I could add them to the whitelist.
I also pity the developers who are being restricted because of this object
this comparison is great I really laughed a lot :')
Even if this were restricting developers, it'd only be restricting developers who are doing things the wrong way, as i said before. I'd love to hear you argue with me over if it's the wrong way, rather than continue to talk trash about the addon with no good evidence supporting it.
Many developers are doing it the wrong way, but there are other developers who actually make good use of RunString. For example, wiremod defines expression 2 chip functions with a custom syntax that specifies the types of arguments. This makes it easier to define new functions, as everything you need to set up is found right in the function definition. This also means that the scripts that define these functions must be pre-processed before going through the Lua parser. This is only possible through the use of RunString or related functions.
Just because you can't think of legitimate uses of the function doesn't mean they don't exist. If you really cared about addressing this rampant backdoor problem properly, you would put in the effort to make something that doesn't break addons that aren't backdoors. Instead, you just went for one of the laziest possible approaches, which is just as bad as misusing RunString.
This doesn't outright block RunString/CompileString. I'm not 100% sure if it works with e2, but as long as it isn't calling RunString inside net.Receive it should be fine.
'talk trash without any evidence'
lol, you destroy more than 3 functions of the game , it's literally disturbing to read that a person indicates that stupidly killing functions is much better than finding a more functional alternative..
anyway this script is not going to have a lot of users, I mean why take it as something that will break a lot of addons with a pretty sure chance of causing shit on honest addons...
It doesn't destroy them. It prevents them from being run in places they really shouldn't be run from anyway. It only prevents RunString/CompileString in these functions: net.Receive, http.Fetch, http.Post, and HTTP. It wont break a lot of addons; it may break a few, but there's a way to whitelist those few.
You could easily bypass it by calling RunString/CompileString inside a timer/think callback which would be called after the block flag is removed. The payload could be sorted some where and run later as well.
Yeah I figured those would be problems, but I only made this to see if it'd work at all so I wasn't concerned.
Sorry, you need to Log In to post a reply to this thread.
