Dangerous public servers LUA eval

[BiosNod]

I read in discord in "Public servers" about dangerous LUA eval ability:

Only join servers from people you trust, malicous server owners can send a packet to execute lua code on your computer (RCE).
We are not responsible for anything that happens to your computer when you join public servers.

Servers can deliver new script payloads to the client, and the client will execute them in an environment that can launch other programs on the host machine. It's not GC-specific, so any protections in GC are useless, protections will need to be clientside to have any security.

@Hartie95 says: If I remember it correctly akebi also has protection for that build in

This is really not funny when the server can send the code to your computer and it will execute it, maybe probably add a client patch against the server code execution, some option to do that?

[KingRainbow44]

this is one of the larger concerns surrounding private servers, and something the team has thought of many times. currently the focus is on getting UserAssembly patching into Cultivation since this can already be done when injecting akebi. it's definitely a feature that will be implemented at some point though!

[tuananhlai]

I'm curious if this issue has been resolved. Remote code execution seems to be a major issue but there hasn't been any updates since 2022 🤔

[NotThorny]

I'm curious if this issue has been resolved. Remote code execution seems to be a major issue but there hasn't been any updates since 2022 🤔

Cultivation does nothing to packet traffic, and certainly does not block windy. If you need to block it then look for another solution, such as akebi - or simply avoid random/untrusted public servers, perhaps even public servers in general. I doubt the current Cultivation will ever have this feature, but one of the remakes (if ever successful) may do so.