Skip to content

Instantly share code, notes, and snippets.

View lopi-py's full-sized avatar

Lopy lopi-py

  • 12:43 (UTC -05:00)
View GitHub Profile
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / READ.md
Last active November 23, 2024 20:22
Data store vulnerabilities

Write-up

A warning to Roblox developers about a powerful exploit primitive. In this, I will detail the research I’ve conducted into this attack vector and walk you through how you as a developer, can protect against exploits with primitives like this.

DataStoreService lets you store data that needs to persist between sessions, such as items in a player’s inventory or skill points. Data stores are consistent per experience, so any place in an experience can access and change the same data, including places on different servers.

By default, experiences tested in Studio cannot access data stores, so you must first enable API services. You will need to do this to test the vulnerabilities.

The idea I wanted to explore when pondering the above question was; can we exploit remotes to prevent data from saving? It is easy to blame the developer for not protecting themselves against such a simple exploit but it ends up being more complicated than that. I found plenty of examples of these vulnerabilities occurring

@evaera
evaera / Clean Code.md
Last active December 8, 2024 17:36
Best Practices for Clean Code
  1. Use descriptive and obvious names.
    • Don't use abbreviations, use full English words. player is better than plr.
    • Name things as directly as possible. wasCalled is better than hasBeenCalled. notify is better than doNotification.
    • Name booleans as if they are yes or no questions. isFirstRun is better than firstRun.
    • Name functions using verb forms: increment is better than plusOne. unzip is better than filesFromZip.
    • Name event handlers to express when they run. onClick is better than click.
    • Put statements and expressions in positive form.
      • isFlying instead of isNotFlying. late intead of notOnTime.
      • Lead with positive conditionals. Avoid if not something then ... else ... end.
  • If we only care about the inverse of a variable, turn it into a positive name. missingValue instead of not hasValue.