Manonox
[Question] When pushing godot objects does this take in account arbitrary code execution of scripts?
Godot version
Na
godot-cpp version
Na
System information
Debain 13
Issue description
Sorry for ignoring issue templates, this question has to do with this asset.
When pushing godot objects does this take in account arbitrary code execution of scripts?
Because it's probably not desirable for people to be able to attach gdscripts to userdata.
Pushing a godot object only saves a reference to it in the VM, that is, the object should've been already created and not destroyed: https://github.com/Manonox/GDLuau/blob/42af1aad8de4a3ac9c64c09d57d7b17b6da9de27/src/utils.cpp#L321
Then you "dereference" them when you call something like lua_toobject:
https://github.com/Manonox/GDLuau/blob/42af1aad8de4a3ac9c64c09d57d7b17b6da9de27/src/utils.cpp#L339
It's not the same as when you serialize an object in Godot with something like bytes_to_var_with_objects
Serialization is usually used to save/network transfer data; pushing references into a Lua virtual machine is mostly for convenience, you could just manually push the instance_id as a number and retrieve it later.
F.e. if you have a player Node and it has a bunch of children, scripts, etc.; you could push_object it into Lua and pass that userdata to a function later and it will point to the same player Node that already exists, without anything new being instantiated
Also, if you push a RefCounted object into the VM it'll increment (and decrement later) the reference count: https://github.com/Manonox/GDLuau/blob/42af1aad8de4a3ac9c64c09d57d7b17b6da9de27/src/utils.cpp#L315-L317 (so f.e. you can keep a Resource loaded in memory if you have a reference to it somewhere in Lua)
