is it a security vulnerability to use from a localScript a ModuleScript that is in ServerStorage?
I spend some time reading about the folder of Roblox studio (ReplicatedFirst, ReplicatedStorage, ServerScriptService, ServerStorage, StarterGui, StarterPack), and I'm still a little confused about what or where is a security vulnerability.
I read the ServerStorage is a safe place, but local scripts cannot access to the ServerStorage, but I put a modelScript in the ServerStorage, and called from the local script in the StarterGui, and it's work.
My code doesn't have a errors, but I am concerned about the security risks that can be involved in using modules that execute important logics or contains sensitive data within a local script, I mean if a If someone tries to play with the code of the local script, the erros is going to be contained in the client, but a ModuleScript It's unique, will only be built once, and all the clients are going to use this ModuleScript, so someone modify a data in the ModuleScript, the errors would propagate to all clients, and then, the server crash.
So, is it a security vulnerability to call from a localScript contained in the StarterGui (or tool, or anywhere) a ModuleScript that is contained in ServerStorage?
Any help would be appreciated.
2 answers
You cannot use LocalScriptss to access the ServerStorage. It will not work in actual servers. The ReplicatedStorage is a good place to put stuff you want LocalScripts to access because Scripts can access the ReplicatedStorage.
Another thing you could do is you could just put the ModuleScript in the ReplicatedStorage.
It will be fine there because that script is essentially useless unless a script access's it.
Hopefully this helped!
0
0
To answer your question on the security side of things: a potential hacker/exploiter may be able to modify their version of a ModuleScript, but any changes they make will not impact the version of the ModuleScript used by the server nor any other client. Everyone gets a copy of the ModuleScript (unless you store it in a server-only area, like ServerScriptService).
Generally speaking, the security of the situation doesn't change, regardless of what folder you put something in (though there is one exception I can think of below).
Just know this: a potential hacker/exploiter might, in the worst case, have full control over their client -- as if they'd opened up a copy of your place in Roblox Studio (though you can assume that they cannot change your actual place, just their client version). This is why FilteringEnabled is so important -- without it, an exploiter can spawn anything they like and the server will propagate it to other clients. With FilteringEnabled on, they can still spawn whatever they like, but it won't affect anyone else.
In terms of scripts, note that the content of Scripts are not sent to the client, since they are never meant to run client-side (but the content of ModuleScripts and LocalScripts are). So, for instance, if you were using the HTTPService and the script needed a password of some kind to access the service, you'd want to store that in a Script (a ModuleScript is okay if placed in a server-only location, like ServerScriptService).
Assume that any RemoteEvents/Functions you have can be triggered by the hacker/exploiter and you'll be on your way to making your place exploit-proof (or at least as good as anyone could make it).