Skip to content

Commit

Permalink
Disable SCSI (remote unsandboxed code execution) by default
Browse files Browse the repository at this point in the history
  • Loading branch information
Skyedra committed Aug 18, 2024
1 parent 6a98875 commit 1922233
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions Robust.Server/Scripting/ScriptHost.cs
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.Diagnostics.CodeAnalysis;
Expand Down Expand Up @@ -138,6 +139,22 @@ private async void ReceiveScriptEval(MsgScriptEval message)
var replyMessage = new MsgScriptResponse();
replyMessage.ScriptSession = message.ScriptSession;

// Safety check. There's no reason most production servers should allow remote code execution IMO,
// especially since it is not sandboxed. If you really need it, enable the environment variable.
if (Environment.GetEnvironmentVariable("ALLOW_RCE_VIA_SCSI") != "YES")
{
string deniedMessage = "SCSI is disabled by default in MV. Set ALLOW_RCE_VIA_SCSI=YES environment variable to use it. Be aware this allows remote code execution on your server.";
_sawmill.Warning(deniedMessage, session);

replyMessage.Echo = new FormattedMessage();
replyMessage.Response = new FormattedMessage();
replyMessage.Response.AddText(deniedMessage);
replyMessage.WasComplete = true;
_netManager.ServerSendMessage(replyMessage, message.MsgChannel);

return;
}

var code = message.Code;

if (code == "y" && instance.AutoImportRepeatBuffer.HasValue)
Expand Down

0 comments on commit 1922233

Please sign in to comment.