I’ve made a Forge mod that allows the player to modify terrain using Java directly in-game, rather than any kind of scripting or configuration file.
It works well but there is a large security issue in multiplayer: players can run any code they want on the server. So currently i’m disallowing the mod to be run in multiplayer (or lan).
Forge totally disables the Java security manager / sandbox. If not for that I could just disable file permissions etc. in the user code and run it safely. So I wonder if Sponge could be a solution for that?
I was going to use Minecraft Coder Pack but Sponge looks like a better API. Does the vanilla sponge disable the security manager in the same way forge does? There doesn’t seem to be much justification for it in my opinion and when I checked the forge forums all i could find were toxic responses from the development team.
The reason why Forge is against it, is because they provide their own security manager, that was in place in order to prevent mods from doing nasty things, back when there was some modding drama over mods being included in packs, and with other mods without permission rolls eyes.
But did you tell them that you wanted a more restrictive security manager?
They have in the past been weary of more restrictive security managers, as they wanted to discourage server hosts from using real virtualization considering the number of Java sandbox escapes that have been found in the past.
My problem is that after looking into the issue the java security manager is the only way to do proper sandboxing (compared to custom class loaders that refuse to load based on name etc.). While it’s true there may have been escapes in the past it seems silly to disable the #1 and only recommended way of sandboxing.
I was tempted to just release the mod without any restriction. I still might just make it a flag in the configuration to enable multiplayer rather than completely prevent it. And so what have they gained by removing one of the core things that Java has always been known for (sandboxing)?
Their currently security manager (which can’t be overridden) still allows file access, which is one of the main ways to destroy a system.
But thanks for the info, i’ll check out Sponge some more now and see if I can play with the security manager. I wonder about releasing it as a vanilla mod that would be incompatible with other mods, I don’t really know if that matters much because I take over the world provider anyway. But it would be nice to have both sandboxing and compatibility with other mods.
Basically the chunk generator is replaced at runtime. But instead of replacing it with another class, the player enters source code, it gets compiled by the mod then installed as the new chunk generator.
The main goal is allow people to build their own terrain mod in a simple way (no need for JDK, forge files etc.) yet still have full power and speed using straight up java.
I can go into detail about how it’s implemented but don’t want to crap on too much.
I’m just wondering how many people will use the feature. It sounds interesting, but it also sounds like knowledge of Java and underlying code is a requirement (at a minimum). This reduces the number of potential users before you even get to the question of how many will want to do this.
It’s a fair point and has crossed my mind. I feel users would be people who just want to dabble without having to set anything up.
In the end they really only get one method to play with which is IBlockState getBlock(x, y, z) . So it should be fairly easy for them to take an example (say that draws a fractal) and just modify some of the parameters.