Does sv_allowupload 0 truly make it impossible for malicious players to upload files to the server or can they get around it even with sv_allowupload set to 0 ?
Noone knows for sure. All known exploits are fixed, but there still might be others.
And watch out for backdoors in your addons.
Oh, but can uploaded files be used to hack a server (as in the entire system) or does it just hack the game server (srcds) ?
We don’t know, as all current known exploits are fixed.
There are still exploits related to this. Keep it at 0 if you want to be secure.
[editline]7th May 2014[/editline]
Yes, the entire system.
It will prevent any currently known Source exploits, however, it’s still possible with addon backdoors.
Are there any suspect lua codes that are a dead giveaway that a lua script is malicious?
conspicuous oddly places net.Receive’s, generally using RunString or http.Post
Terribly obfuscated code, too.