#GitHub - autumngmod/libloader: Package m...

John gitelman

RCE 🥰

Looks like a pretty interesting idea. Would be cool if it also had a package file to track and install all required packages.

My only issue with lua package managers like this in general is GMods lack of protected storage.

Here it's storing scripts in the data dir and then passing it to RunString which makes sense, but it also now makes it possible for malicious scripts to inject something into those files (which they can also access) and gain persistent code execution opposed to a static lua file which they can't edit. (Could add checksum file verification before loading, but then where do you store the known references to compare against?)

God I would like a package manager for Garry's Mod

But Morgverd brings up legitimate concerns

I just mean that it's a surface for persisting code

Say I find a net vulnerability that allows arbitrary code execution on a server, this is obviously bad but most of the stuff you can do with that can be reversed by restarting the server (outside of deleting database stuff and data dir ofc)

Having files in the data directory that are reliably ran means that that attacker could now inject whatever into those files, persisting their backdoor across restarts

I'm not saying it's a fault with the addon really, just something to consider with addons like this

I've been developing a package manager and runtime environment for the last two years