I am using json convert to serialize and deserialize data for my game
the save files are json and easy to read and modify, and this can incentivize players to trade save files or get save files off someone else in forums
lets say that some bad actor modifies the json, is there any such mechanism that when my game reads that file it will inject malware into the user’s pc?
I wanted to know because then I should give a fair warning for users to be careful, or if they do its at their own risk and im not liable for that.
I mean, sharing files is at the heart of the software industry. Entire businesses are based around it. I think it’s fair to say that your users need to take some measure of responsibility in where they source any such files.
That being said, most software usually has some clause that disolves themselves of responsibility of such things in the eula. This includes most games. In the end, the safest would be to hire a lawyer that specializes in this stuff and have them come up with something for you.
I don’t see how malware can be injected from a JSON file that you have defined. You would ideally include a version number (so you can read older versions of the JSON if you modify the structure) and you would know the structure in each case.
So if someone added a property it wouldn’t be recognized by your code. Either you ignore it or refuse to process it as “corrupt”.
I think Newtonsoft Json is fairly safe from deserialization attacks. Some deserializers can run code, probably the worst is BinaryFormatter which should be avoided. The Json format is normally safe but can still be attacked depending on the Json library. For example, loading the following json file in a WPF application can allow you to run command line calls (this example starts calculator).
What users do with their computer is their responsibility. If that involves downloading a save file from a sketch website and tanking their computer, that’s on them.
There are ways to mitigate this, but still, it’s impossible to proof everything against stupidity.
Like Sluggy said, you need to have a disclaimer of not being responsible for any damages blablabla.
The reason being that downloading and “opening” any files from an untrusted source is prone to risk damaging one’s computer. In the case of a text file opened with a text editor, the chances of this setting you at risk are practically 0%.
But a json that your application loads could trigger the usual such as an unguarded buffer overflow, be it in the Json library you’re using or the Unity engine you’re feeding with that data or your own code. This then could lead to some form of exploit, most commonly and best most users could hope for is to crash the application (yours). In the absolute extreme case but not something you can simply dismiss a user may experience other loss of data, such as perhaps some “delete savegames” functionality in your application being misdirected to “delete all documents” for instance.
There have been known attacks with spoofed PDF, PNG, JPG and similarly “harmless” files that if opened with a (typically popular) viewer or editor application, could be used to gain higher privileges on the system, perhaps even download and install software that, instantly or upon the next restart, will install itself and open a security hole that outside hackers could scan for and use to exploit the system.
There are countless attack angles and they ALL have a common source: data obtained from untrusted sources, and occassionally even data shared by trusted sources (ie malicious ads on trusted news sites).
Yes, it’s not possible to make deserialization 100% secure. However when it comes to Newtonsoft’s Json.NET you can implement a SerializationBinder which can essentially filter which types / type names map to which actual types. So you can use a whitelist to only allow types you really need / want to allow. This is also recommended by MS here.