Check out our latest project ✨ OpenChapter.io: free ebooks the way its meant to be 📖

External Resource Loader (C#)

An asset by mdarkwell
The page banner background of a mountain and forest

Install Asset

Install via Godot

To maintain one source of truth, Godot Asset Library is just a mirror of the old asset library so you can download directly on Godot via the integrated asset library browser

Install Manually

You could also download the zip archive of the asset and manually install it into your addons/ folder

Report comment

Reason for reporting:
Character limit is 200 characters

Delete Comment

Are you sure you want to delete this Comment? This action can't be undone.

External Resource Loader (C#) hero image

Quick Information

0 ratings
External Resource Loader (C#) icon image
mdarkwell
External Resource Loader (C#)

A Godot C# plugin which attempts to safely load external resources, mitigating bad actors from arbitrary code execution at runtime. This attempts to scan for code signatures in any external resource loaded by Godot. If a code signature is detected, it will return an empty resource object. Otherwise, it will load the resource as intended.⚠️ DISCLAIMER: This plugin does not make any guarantee or assurance that bad actors cannot still arbitrarily execute code. This merely mitigates the issue by scanning external resources for embedded scripts.

Supported Engine Version
4.1
Version String
4.1.0
License Version
MIT
Support Level
community
Modified Date
1 day ago
Git URL
Link to Git URL
Issue URL
Link to Issues URL

ExternalResourceLoader

A godot C# plugin which attempts to safely load external resources, mitigating bad actors from arbitrary code execution at runtime.

⚠️ DISCLAIMER: This plugin does not make any guarantee or assurance that bad actors cannot still arbitrarily execute code. This merely mitigates the issue by scanning external resources for embedded scripts.

🤔 What does this do?

This attempts to scan for code signatures in any external resource loaded by Godot. If a code signature is detected, it will return an empty resource object. Otherwise, it will load the resource as intended.

⚙️ How does it work?

The plugin registers a custom high-priority ResourceFormatLoader which only overloads resource loading when attempting to load an external resource or scene. From there, it scans external resource data for any embedded code within the resource or scene. If it finds a code signature, it will return an empty resource instance rather than the resource.

README flowchart

🤔 How do I use it?

Import the add-on, and build the project. Once you build the project, enable the plugin within the project settings.

README

😯 That's it?

Yep! When the project runs, it will load the ExternalResourceLoader, which automatically overloads ResourceLoader::Load() internally. Whether the resource is loaded at runtime, or from a static reference, as long as it's an external resource, it will scan for embedded code.

🪝 Can I detect when a bad resource is loaded?

Yes! Hook the signal ExternalPluginManager.Instance.ExternalResourceLoaded(string path, bool success) in order to receive a signal callback whenever an external resource fails to load. For example:

public override void _Ready()
{
    ExternalResourceManager.Instance.ExternalResourceLoaded += (path, success) => {
        GD.Print($"External resource {(success ? "failed to load" : "loaded")}: {path}");
    };
}

📋 Todo Checklist

  • Set up Github Actions for validating PRs and tag releases
  • Add configurable addon settings
    • Different modes for when a bad resource is detected
    • Configurable blocklist for certain resource types
    • Add the possibility for configurable directory exemptions
  • Validate Godot 4.2.x+

A Godot C# plugin which attempts to safely load external resources, mitigating bad actors from arbitrary code execution at runtime. This attempts to scan for code signatures in any external resource loaded by Godot. If a code signature is detected, it will return an empty resource object. Otherwise, it will load the resource as intended.

⚠️ DISCLAIMER: This plugin does not make any guarantee or assurance that bad actors cannot still arbitrarily execute code. This merely mitigates the issue by scanning external resources for embedded scripts.

Reviews

0 ratings

Your Rating

Headline must be at least 3 characters but not more than 50
Review must be at least 5 characters but not more than 500
Please sign in to add a review

Quick Information

0 ratings
External Resource Loader (C#) icon image
mdarkwell
External Resource Loader (C#)

A Godot C# plugin which attempts to safely load external resources, mitigating bad actors from arbitrary code execution at runtime. This attempts to scan for code signatures in any external resource loaded by Godot. If a code signature is detected, it will return an empty resource object. Otherwise, it will load the resource as intended.⚠️ DISCLAIMER: This plugin does not make any guarantee or assurance that bad actors cannot still arbitrarily execute code. This merely mitigates the issue by scanning external resources for embedded scripts.

Supported Engine Version
4.1
Version String
4.1.0
License Version
MIT
Support Level
community
Modified Date
1 day ago
Git URL
Link to Git URL
Issue URL
Link to Issues URL

Open Source

Released under the AGPLv3 license

Plug and Play

Browse assets directly from Godot

Community Driven

Created by developers for developers