Yesterday, I changed the save game code to use
the var_to_str and
str_to_var functions to save and load
the save (20240617214349). I did
this over JSON because in Godot, JSON
does not round trip.
Unfortunately, this opens the possibility to arbitrary code execution vulnerabilities, as this will allow a malicious user to insert a script which gets run when the save is loaded.
Looking into what options I have, I found that
store_var and get_var let
you read and write Variants while
preventing scripts from running. In the
documentation, it states:
Stores any Variant value in the file. If
full_objectsistrue, encoding objects is allowed (and can potentially include code).
And I also found a GitHub issue godotengine/godot#4925
about this, where store_var and
get_var are suggested as a
workaround.
I agree that
File.store_var/get_varin combination with a dictionary is already sufficient for a convenient implementation of save files. Although the analog ofallow_objectsshould be added to theVariantParser, so that text serialization (for example,ConfigFile) also becomes safe.