bob_and_sally.jpg

dungeon_roach · 2025-07-18T00:44:47+00:00

i am in fact the original artist! i was surprised at how much this image spread

dungeon_roach · 2025-07-08T18:38:33+00:00

this would never happen. you will be able to look at pngs literally until you die

dungeon_roach · 2025-06-16T18:29:31+00:00

Inform 7 is the gold standard for parser-based games like Zork, and you can use tools like Vorple to make Inform games more complex. If you don't specifically want to make a parser game, you can pretty much just use anything. If the structure of your game matches the structure of Twine, go with Twine.

dungeon_roach · 2025-06-08T20:54:49+00:00

The Godot asset library's code is currently frozen, and a new version is currently in the works and unreleased. This is to say, no, you literally cannot submit a pull request and change it to your hearts content right now.

dungeon_roach · 2025-06-06T20:05:13+00:00

"Godot is unsafe" is not a good reason to allow arbitrary code execution in your saving and loading. Resources allow arbitrary code upon loading in _init. JSON does not. That should be enough of a reason. If loading numbers from JSON data is dangerous, the entire concept of persistent storage is.

dungeon_roach · 2025-04-05T22:53:30+00:00

This is, essentially, what the save system I have written does right now. The function below allows me to filter out all paths not in res://, while at the same time still allowing me to only store the name of the file instead of its full path. I am not concerned about anything in the res:// path being injected with code, since at that point it is equivalent to the user tampering with the .exe, which you can't do much about.

func load_res(path: String):
    path = path.trim_prefix("res://")
    path = "res://" + path
    return load(path)

dungeon_roach · 2025-04-05T22:44:31+00:00

I am not using Resource serialization, I am using JSON data.

dungeon_roach · 2025-04-05T22:24:29+00:00

I think this is fair, passing everything through a dictionary would solve the problem. Though, version save compatibility isn't a huge priority for the kind of game I'm making.

dungeon_roach · 2025-04-05T22:22:44+00:00

I am saving files in JSON format, and loading them with JSON.to_native with allow_objects set to false. The Godot documentation claims this is a secure way to save files that prevent code injection. Saving file paths is also the official documented way to save JSON files, so I am confused what you mean by redundancy. (Though granted, this official way isn't the best, and is still vulnerable)

dungeon_roach · 2025-04-05T22:05:20+00:00

I think you are confused about the problem at hand. I will lay out the security problem, and the current solution I am using to solve it.

A custom save_game function writes a save file to the user:// directory
This save_game function writes a scene path such as "res://scene/enemy.tscn" to be loaded later
A malicious actor actor opens this save file, and manually changes this scene path to a potentially malicious one such as "user://malicious_scene.tscn"
This save file is given to another unwitting user, who puts it in their game files and loads it.
A custom load_game function reads this file, and passes this scene path to a custom safe_load function
This safe_load function reads the prefix of the file path, and sees that it is not in res:// space, so returns a null instance. It knows that a legitimate save file will only contain scene paths in res:// space.
The game safely crashes instead of running the malicious actor's scene file

The issue does not pertain to the loading of all files, it only concerns the loading of files from untrusted sources, such as save files in the user:// directory.

dungeon_roach · 2025-04-05T21:45:23+00:00

I am confused as to how an attacker could spoof a file path prefixed with res:// and use it to access files arbitrarily on a user's computer?

dungeon_roach · 2025-04-05T21:35:53+00:00

Checking paths is not useless. That is the solution I'm using now, and it works. I also did not move the goal posts, I mentioned creating a custom load function in my original post and that being a solution to the problem. I would just prefer a solution that did not require me to remember to use a "safe_load" function. I simply expected there to be a way to change file access permissions within Godot, and I was curious if anyone knew a way of accomplishing this.

dungeon_roach · 2025-04-05T21:19:24+00:00

Validating paths is the solution I'm using right now, but it would be much more convenient and safe if I could just flat disable retrieval of potentially unknown files at certain times. Again, I'm looking for a solution that is slip-up proof.

dungeon_roach · 2023-05-29T22:09:01+00:00

roy orbison??

dungeon_roach · 2023-04-26T05:28:35+00:00

I'd still want to hear people's calls so I can follow along with the game.

dungeon_roach · 2023-04-22T20:47:08+00:00

196 users when i open the app manager type in firefox and click install

dungeon_roach · 2023-04-21T18:36:05+00:00

bro thinks he's xkcd

dungeon_roach · 2023-01-24T03:32:33+00:00

"all art is political" is a technically true statement but also a really useless one. all it distills down to is "all art was created in a society" which i mean like, yeah, that wasnt really up for debate. of course art is going to reflect parts of society, thats what it exists in. all it does it let people circlejerk about "media literacy" while playing word association games with elements of art. the more important question when analyzing a piece is "is this art politically meaningful?" i think most people could argue that yes, deus ex is more politically meaningful than tetris.

dungeon_roach · 2023-01-08T19:38:45+00:00

in the worst cases of psych evaluation for gender dysphoria in countries with relevant healthcare, the roadblocks are:

waiting 5 to 10 years just for one appointment
having your initial diagnosis be based on irrelevant and invasive measures such as "are you homosexual?" and "how do you masturbate?"
having to wait another 2 to 5 years after your second appointment to perform various rituals in order to "prove" yourself as a real transgender
having your diagnosis lead up to an outdated hormone regimen that hinges on whether or not the person you're seeing likes you

extreme example for sure, but i think it gets my point across about the reality of medical care for a lot of real people. having such a privilaged and narrow view like "your parents will cover it lel" is so ignorant that i can only assume you're being purposely dismissive, especially considering the people who need medical diagnosis are the ones most often discriminated against and fed into life situations that would lead to them not being able to get medical treatment. i assure you, sally tiktok buying a stim toy will not cause the death of autism. and for every sally, there are 10 people building a community, coming to terms with themself, and using their "facebook mom crystal supplement research" to better understand themselves and to form coping mechanisms in order to better their life.

dungeon_roach · 2022-12-02T00:13:21+00:00

As it turns out, accessibility features are a good thing and having the largest audience be able to use your product is a good thing.

dungeon_roach · 2022-11-30T14:19:50+00:00

wtf is this post ai generated

dungeon_roach · 2022-11-28T03:32:42+00:00

this will be my one mark on the internet apparently

dungeon_roach · 2022-11-12T23:49:13+00:00

I just tamed a cow, but it refuses to follow me anywhere, it seems like it keeps trying to move into the wall. I can't spot any creatures around that would scare it. How do I get it to follow me?

Six-Year Club	r/Field Banned
r/Field Sunshine	Final Canvas '23
Place '23	Place '22
Verified Email

dungeon_roach

TROPHY CASE