Is putting entire nodes into .cfg files dangerous?

:information_source: Attention Topic was automatically imported from the old Question2Answer platform.
:bust_in_silhouette: Asked By Ox0zOwra

Lately I’ve been learning how to generate configuration files for my game so I can save the user’s preferred keymappings and then read them from the disk when the game is opened again. However, upon checking the generated .cfg file, I realized I’m actually putting in an entire InputEventKey node for every defined key into the file instead of just the keycodes.

Example (move_left is a single line):

[keycfg]

move_left=Object(InputEventKey,"resource_local_to_scene":false,"resource_name":"","device":0,"alt":false,"shift":false,"control":false,"meta":false,"command":false,"pressed":true,"scancode":65,"unicode":97,"echo":false,"script":null)

It’s not a particularly hard thing to patch out. I’m just wondering if I should do that at all since it has not done any harm to me (and I’m lazy, and it works as intended, and I’ve got other things to worry about). The fact that you could potentially attach an external script via the “script” field is what’s worrying me, though. Is that possible at all? Is there some other reasons for me not to keep it the way it is?

:bust_in_silhouette: Reply From: Calinou

As long as you’re not sending ConfigFiles over the network, encoding/decoding Objects should be fine to do. If someone is looking to inject arbitrary GDScript code into an exported project they downloaded, there are plenty of ways to do so anyway :slight_smile:

So basically I have nothing to worry about, even if the contents of the file are plainly visible to everyone that views it and can be easily accessed via the game’s config folder?

Ox0zOwra | 2021-12-09 09:44

Indeed, there’s no problem with that.

Calinou | 2021-12-14 15:53