Project Security

gZany

[Archived because of the discussion on absolute security below]

Does anyone know how to make it so that only you can run code even when someone remixes it?

Ravage

gZany Well, it is impossible to block remixes, as this simple proof can show:

You can edit or view any aspect of a remixed project
From Point 1, you can remove any remix protection (since you can remove any part you desire). Of course, the cleverer people would embed a vital part of the code into the remix protection like @Varrience, but again, as per Point 1, you can view any aspect of the code, so you can copy the vital parts back in.

I might not have fully comprehended that garbled sentence at the top, but, in case you are looking for absolute protection of your projects, that is impossible: the inspect console makes short work of that. The best you can do is block everything that comes before that (i.e. Vault). I really do not know if blocking the inspect console is even possible (it might be on Applab, but that's a totally different subject).

Also, @ackvonhuelio , your method causes quite an annoying problem: any noob that clears the keyValues with the data browser will inadvertently make the project crash for everyone, which will be quite annoying. My method of preventing remixes is just hiding a short, obfuscated block of code that checks with: window.getURLPath()[2].substring(0,10)==originalSlice. I use a substring to make it short. Of course, though, JS-deobfuscation is a thing. Can't have everything, though...

ackvonhuelio

I assume you're talking about gamelab.

keyvalues aren't carried over, so adding a keyvalue check should prevent dumb people from remixing (majority of CDO)

first, run this line once and only once- then delete it from your program.
setKeyValue('abacadabra', 'ack is the best');

then, put this in your code to check the keyvalue and crash the program however you wish
getKeyValue('abacadabra', function(e){ if(!e){ throw 'nuh uh'; } });

of course you might want to obfuscate this but yeah

additionally, you could check the URL, but this is easier to get around.
getURLPath()[2] //the jumble of random numbers and letters in the URL

gZany

ackvonhuelio Wow thx it worked

Varrience

yea..... i tried a unique way but since code is open source anyone can crack stuff if they want https://studio.code.org/projects/gamelab/YyEW6KgJLIZCz3tIQAjLRwOvJXbT1q1JufJXF4b0v_s/view including this but it's just how it is usually i don't mind if people decide to use some of my project code as long as I'm credited is all, and for the most part most of my public projects haven't been disrespected though it's not the same case for everyone, good luck!

gZany

I did it!!!

Varrience

Ravage to answer that question about blocking the inspect console you cant. the code inside code.org is sandboxed while i can backdoor through the inspect console it doesn't go the other way though hell you can even modify some of the runtime code if you know what your doing..... though i doubt only a few know how to do this besides me, so vault would probably be your best bet...... also you can make it more of a hellscape than what i did, though this was an earlier prototype of getting executable code to work, though i was planning on making a library that just screws with the user rather than flat out refusing to run

Ravage

Varrience How sad. Originally, to try and block the inspect console, I tried to detect the enter key pressed which would trigger the runButtonClick(), but it turns out that any keypress in the inspect console cannot ever register. As for "modifying runtime code," the only way I've heard of that is using the inspect console, //edit (or /edit.html), or line breaks, the latter 2 not being effective against libraries. As we all know, libraries 1. trigger instantly and 2. cannot have their code edited unless you edit it before it runs, which is impossible because of Point 1. The only way I've found to edit libraries is executing inspect console code right after the run button click (changing getURL and getURLPath return values). If you know of a way to get past Vault without any exterior JS (only gamelab console, so no bookmarklets or inspect), please do let me know.

Varrience

Ravage well i can bypass it without even needing to view the code is what I'm saying..... and i don't exactly intend on making that public (for obvious reasons that someone could make actual malware with it) if you get what i mean, what I meant was that i can execute any code i want without even having to be in view of the project the project has a global var much like applab does just a bit more hidden which allow runtime modification that you can't overwrite bc of sandbox privileges.....

Ravage

Varrience Well, the only way to modify runtime code without being in presentation mode is using the inspect console or some other external JS, most likely by indexing down __mostRecentGameLabInstance to evalInCurrentScope, or that one thing that allows you to quite literally edit the code being executed, which I have the feeling is what you are talking about. I was worried that you found a way to bypass Vault WITHOUT any external JS, which I thought impossible. Once again, you can do basically anything with the inspect console: you can set keyValues, run code before the project starts, and, as we know, edit the code while it is running.

Varrience

Ravage actually it might be possible to remove libraries as well.... I've never really tried it before though

Ravage

Varrience That has got to be possible, as I can probably prove quite easily:

The website NEEDS to have some kind of place where the code for libraries will be (either loaded when the project's page is first loaded, or stored above the main code).
Since the inspect console has utmost power, it can always edit that variable. Thus, you can remove libraries from the code entirely.

But that's not the question. The only concern I had was that you found out how to bypass Vault WITHOUT any external JS. Seriously, if you know how to DO IT WITHOUT EXTERNAL JS, please do tell me...

EDIT: I really hope I'm not coming off as aggressive here. You are actually one of the few people on here I wholeheartedly respect, and I'm just trying to make my stuff as safe as possible (without using external servers). Don't take it the wrong way.

Varrience

Ravage it's totally fine, i gotcha for now it seems fine.... not like I've fully tried breaking it yet though
I've kinda been remaking one of the older games so that it's actually workable and past me was actually a dumbass redeclaring multiple vars perhaps if i do get tired of what I'm doing I'll take a crack at it for now it seems good
anyways if i do find something I'll post it here to improve vault

Letti42

whats the link to vault

Ravage

Letti42 Here it is, sir: 2gXNMdCyoscsIUsYkhzBPNWHnbeFe3HyLpBfyb3zLgw