Comments (9)
... except the updating process is, more or less, the exact same as the installing process. Why would you run this isolated, anyway?
from roblox-studio-mod-manager.
So I looked into this problem a few weeks ago, and it might actually be possible for me to stop using MD5 if I can avoid having to compute hashes for any files.
It’s easier said than done though, given that Roblox doesn’t list all files in the manifest.
I could try to work around this by using SHA256 hashes for these instead.
This is a solvable issue and I do want to take it on, but I ran into several problems when I tried to get it working during my first attempt. It’ll need to be something I spend like a day working on, and I don’t have that much spare time due to my job and college related stuff.
Stay tuned.
from roblox-studio-mod-manager.
Not what I mean -- when a user is running Windows under an Isolated Environment, it is not possible to launch applications that are not FIPS compliant. It throws a hardcrash exception every time.
Pressing continue does not work, as the program itself needs this function to operate properly.
When you click "Launch Studio" and your installation is out of date, the program forces an update.
What I mean by "a solution can be made by not running the update process at all, and rather just running the installation.", is exactly what I mean, add an option to not bother updating Studio and rather run the executable.
from roblox-studio-mod-manager.
Tada! I finally got around to it.
Let me know if this satisfies the FIPS compliance!
a77f9e3
from roblox-studio-mod-manager.
Resolved.
from roblox-studio-mod-manager.
I figured this might come up, so let me explain what the situation is here with MD5.
MD5 is used because those are the checksums provided by Roblox’s manifest files, and I need them to deduce what directories the zip files are extracted into.
When installing a build from Roblox on production, I use the following endpoint:
https://clientsettings.roblox.com/v1/client-version/WindowsStudio64
At present, the provided version-guid is version-ca3bf34f8a0c4134
Using this, I can fetch the manifest files from Roblox’s Amazon S3 bucket, via:
https://s3.amazonaws.com/setup.roblox.com/version-ca3bf34f8a0c4134-rbxPkgManifest.txt
https://s3.amazonaws.com/setup.roblox.com/version-ca3bf34f8a0c4134-rbxManifest.txt
These manifest files tell me what zip files I need to install using the version-guid prefix, and what the outcoming file directory structure will look like using the files in those zip files.
All of these files are downloaded over an HTTPS connection. I check the zip file MD5 hashes (via rbxPkgManifest.txt) to verify it transferred correctly, and deduce the relative extraction directories using the provided MD5 file hashes (via rbxManifest.txt)
I recognize the risks of MD5 for cryptographic reasons, but I am using it for a non-cryptographic purpose at the application level. I put trust into .NET to throw an exception if it can not establish a trusted HTTPS connection to Amazon S3, and assume TLS 1.2 handshakes are handled appropriately there.
If there is a flaw I am overlooking here, please let me know!
from roblox-studio-mod-manager.
Also worth mentioning, the setup.roblox.com Amazon S3 bucket is a trusted 3rd party vendor (in this case, being Roblox) that is assumed to be distributing files correctly as would be expected for Roblox’s own bootstrapper.
One theoretical attack that could happen here is if Roblox were to suddenly abandon one of its sitetestX.robloxlabs Amazon S3 buckets and someone was somehow able to swoop in and take the bucket for themselves, and then spoof the existing protocol. This is VERY unlikely to happen, but I would likely notice it very fast and issue a patch to the application to disable further use of that bucket domain.
This flaw is unfortunately a side effect of Roblox making their API domains private on their test domains, so I had to fallback to inference using the DeployHistory.txt file they write upload logs to.
At the end of the day, this flaw is on Roblox’s end. Any attack that could happen which affects my mod manager would also affect their own bootstrapper. I would happily switch to SHA256 if they started using it for their file signatures.
from roblox-studio-mod-manager.
Understandable, but when a program is not FIPS compliant, it is not possible to run it on isolated environments. Therefore, a solution can be made by not running the update process at all, and rather just running the installation.
from roblox-studio-mod-manager.
The routine of installing is the same as updating. The difference is that when updating, it is applied incrementally to the existing install directory. The MD5 hashes are used to check which zip files actually need to be installed, what files need to be extracted, and what files can be removed after an update.
The bootstrapper is a separate form because some features of the mod manager (particularly the flag editor and class icon editor) prefer Roblox Studio to be kept up to date to provide accurate data to the user.
from roblox-studio-mod-manager.
Related Issues (20)
- Selecting older version bricks RSMM on next startup
- Unable to open place by pressing edit on website HOT 2
- Older versions are no longer supported
- Remove the -launchmode argument when launching with a URL
- is this ever gonna be updated? HOT 3
- Proposed new Logo HOT 1
- Stuck in a logging in loop HOT 1
- Clicking "Launch Studio" crashes program HOT 1
- freezing HOT 4
- I get this error when trying to launch
- Login Failed - An error occurred while logging into Studio. Please login on the website or try again later. HOT 1
- cant Ctrl+A or any form of multi-selecting
- How do you uninstall the mod manager? HOT 1
- Roblox Studio Mod Manager cannot connect to anything
- Capabilities of the manager HOT 2
- Trying to update Roblox Studio to a new version shows a Microsoft .NET error
- Studio updates force close all active Studio processes HOT 3
- Object reference error when launching Mod Manager
- weird ui bug
- Unable to uninstall
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from roblox-studio-mod-manager.