(also asked this on the Godot Discord)
-
(also asked this on the Godot Discord)
The
JSONclass has ato_nativemethod which has an option for allowing objects to be decoded:
https://docs.godotengine.org/en/latest/classes/class_json.html#class-json-method-to-nativeIn the code, it checks to make sure any script is located in
res://
https://github.com/godotengine/godot/blob/394508d26dcf1b7a9362453f9009c07d969f1a7e/core/io/json.cpp#L1557-L1567My project will not use scripts (it's completely written as a gdextension) and anything added by the user in an unsandboxed pck file is at their own risk.
Are there any object types that are dangerous to instantiate and set properties on? I know this is the case with Java, where a serialized blob can contain an object that says "delete this temporary file on free" and have a path to some file the attacker wants to delete on the victim's system, but Godot's
FileAccessdoesn't work like that.Is there anything in the standard library I need to worry about, or is it safe "enough" to allow players to share JSON-encoded objects?
-
S steffo@a.junimo.party shared this topic
