A friend shared another potential Godot Crime:
[!quote]
resources can contain code and loading them will execute that code
Related: https://github.com/godotengine/godot-proposals/issues/4925
Notably, since Ultraprocessor Ribbon uses the
ConfigFile API, the config file for the
game can be used as a code injection vector by
adding this to the end of the file:
[Foobar] foobar=Object(Resource,"script":Object(GDScript,"resource_local_to_scene":false,"resource_name":"","script/source":"extends Resource func _init(): print(\"Hello, world!\")"))Even though the config code in Ultraprocessor
Ribbon doesn't try to read the foobar
value, Hello, world! is printed to the
console.