I was COMPLETELY WRONG about saves in Godot... ( ; - ;)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
i recently made two videos about saving the player's progression with resources in godot one of you pointed out how it's unsafe to use resources if players download save games from the web for example to unlock content without having to grind goodu's resources can bundle code and that code could be malicious we say that resources support arbitrary code execution some of you care very much so i decided to take some time to look into it and it turns out you can combine resources and a safe format like json to get security without losing flexibility in this video we'll first look at how resources can execute arbitrary code and all the features you should avoid to keep your saves secure we will then see how you can still use resources for save games but use json for writing and loading the data resources can still be very useful for your game's data or plugins but for saved games you may want to use a different format let's look at the problem in godot i have a working save game here using results and please note that you can download it and find the previous videos on our website the links in the description so this demo i've modified to have a save game with some code injected into it it looks like this we have the normal save game data so that the game appears to be working normally and we have some script with some extra code it has an init function that will run automatically when loading the save game and to achieve that we create a new resource that has a script attached and we attach that resource to our main save game we can use the meta property to not modify any of the normal save data so the player cannot see this happening normally now if i run the game here i get a pop-up this is something running on my operating system so it might look different on windows for example it's just to show that this can run code outside of godot let's say it can access your files it can download stuff it can do anything it wants really and for the player they would just be able to play the game normally to move around the map and all they wouldn't see anything now the challenge with that is that it actually affects quite a few useful features in godot here we are saving and loading using plain text resources as shown in the previous videos but this issue also affects the very popular config file class in godot that you can use to save and load files with a very simple api it also affects the function var to string and string to var which are functions available in gd script to convert variables into text and vice versa so these can save and load resources and are unsafe there is one exception it's the functions bytes to var and var2 bytes these ones are used for web stuff and so they have extra security by default so you have this allow objects argument that is set to false by default and that prevents any code from running if you want to save data as binary you can then use that and that is safe for safety you want to use a format to save and load that does not run any code and so you have two options available in godot xml would be one and another would be json you can pick your favorite or you can make your own of course in this alternate demo which looks the same as the other i've used json for simplicity so i made a new script for my save game this time it's not a resource it extends the class reference because we're not going to save it using the result system but it works pretty much the same as in the previous video it contains resources and this allows us to have the character resource stored here in the user interface and in the player character and when we update the character stats or something like that it only updates one character object so we can immediately access the new properties and save them same for the inventory but now instead of using the resultsaver.save function we use json instead so i have a different write save game function and what it does is it first tries to open a file to write into then i convert all the data that i have here into one dictionary the keys would be the variable names you can organize them however you want and then you map some values like the character's position the character's name those kinds of things right and just note that json cannot save things like vectors or matrices or some of godot's built-in types directly so you have to split them right this is why i have a global position that's a dictionary here with an x and a y i have to decompose the player's position on the map once you've made your dictionary all you have to do is to save it and for that use the json json.print function and you can then store that string in your file and close the file when loading you do the same thing but in reverse so you're first going to open the save file then you get the content as text and you're going to convert the text back to a dictionary using json.parse this is going to return an object that has a result property and that result is your game data and so then you do the same thing as before but in reverse that is you're going to extract the fields from your data dictionary and put them back into your resources and your game data basically this is quite nice because as i've mentioned the use of resources makes it so you can have the data accessible in your saved game and in the rest of the game systems but then you also have the safety of jason i brought this to the developers and not only have they been helpful as usual we also talked about the possibility of making resources safe in the future so stay tuned you might be able to use resources for save games probably in google for or something like that this video an open source demo is sponsored by our courses if you're a beginner you will love learn to code from xero with godot it's a complete course to get started with game development with tons of lessons and cool interactive practices if you're more experienced then godot node essentials is for you it's the biggest knowledge base about all the things you can do with goodo's nodes you'll find links in the description below be creative have fun and i'll see you in the next one bye-bye
Info
Channel: GDQuest
Views: 58,366
Rating: undefined out of 5
Keywords:
Id: j7p7cGj20jU
Channel Id: undefined
Length: 7min 9sec (429 seconds)
Published: Tue Jul 19 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.