starscript
starscript copied to clipboard
MeteorDevelopment
Exploitable String Array Overflow Flaw
Ok, so Starscript can easily contain malicious scripts that are counter to the user's interest:
/whisper exploiter My Coords are {player.pos.x + "," + player.pos.z}
Such a script may appear as a macro in a Profile that an exploiter persuades a target to download and install. This is nothing new. The problem with this is, actually checking the macros before using them, I think most players would doubt that this macro is good for them. Is there a way to exploit the String Array Overflow Flaw to hide the exploiter's intentions. Yes.
It is described here: https://github.com/MeteorDevelopment/starscript/issues/16#issuecomment-1712572331
At present, I cannot think of a non-exploitable fix in the Compiler or Run procedures.
I will look to the Lexer or Parser to see if the script can be blocked at the input stage -- in effect most of the proposed script text would just turn red after the 256th string is reached in the text input box, and it would be impossible to save it as a script, so iit never gets compiled, and cannot be run.
