-2

My friend and I are making games on RPG Maker and sharing them together. He also makes plugins from ChatGPT.

I asked him for a script for a game crash (horror scene) and they asked "can this delete files" and he said that if I give all rights, yes, but also things WORSE than that. For example, formatting a disk or leaking data or deleting system32.

I don't know anything about Node.js, but I am freaked out that I can lose everything I have.

Can someone say how I can protect my computer from malicious Node.js code that I run? Is it true that Node.js with full rights is so all-powerful?

schroeder
134k55 gold badges310 silver badges357 bronze badges
4
  • I tried to make sense of what you were asking with my edits. Commented Jun 3 at 7:25
  • 1
    There's nothing magic to Node.js. Any code with the correct permissions can do anything those permissions can do. Commented Jun 3 at 7:27
  • For game engine scripts, the most common way of preventing then from doing undesired things is sandboxing. From your question, it sounds like RPG Maker doesn't provide a sandbox for the node.js plugins. If you are really worried, you could try a better game engine that provides sandboxing for the game scripts. Commented Jun 3 at 10:38
  • This applies to any programming language/framework - it's just tools to build things. And the fs is essential for any file system modification - writing logs, configs, reading them etc, even interacting with some kernel and system processes might be necessary according to your needs. That's like asking why can you kill someone with a hammer and being afraid of it because of it. It kinda makes sense to ask that, but think about it more yourself ;) Commented Jun 3 at 15:39

1 Answer 1

1

A Node.js application has exactly the permissions which you and the operating system allow it to have, nothing more, nothing less. If you – for some strange reason – decide to run an untrusted application with administrator privileges, then, yes, it does in fact have administrator privileges and can cause major damage, e.g., delete important files, leak data or install persistent malware. But this isn't the fault of Node.js, it's simply how permissions in an operating system work. The same applies to native applications, batch files, Python scripts and any other kind of executable code.

To protect your system, don't run untrusted code with administrator permissions. Instead, use the principle of least privilege and only grant the permissions which are both necessary and acceptable. For example, create a separate account specifically for your games and ensure that it can only access game-related files. Then run the games and any potentially dangerous scripts under this account. Using virtual machines to isolate applications from the main system can also help. This allows you to, for example, prevent the application from accessing any networks, and you can easily restore a previously saved state of the virtual machine if something breaks.

answered Jun 3 at 3:17
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.