Question regarding map security

[Where]

Hi,

I'm an operator of a TF2 community

From what I understand, maps can potentially have malicious actions compiled into them, especially through vscript, but even without

As a server operator, how can I security-check maps for malicious intent before running them on my servers?

Thanks for any information
//Where

 

[Zeus]

We have the same concern as TF2Maps, however heres a few things about vscript that make it less scary:

• Vscript has no direct network access (e.g. unable to phone home or log sensitive info to remote servers)
• Vscript has a very limited access to disk, and the engine has rails on it to prevent it from writing outside the filesystem of the tf2 server.
  • It would be prudent to setup a chroot jail for your tf2 server to run in, in the case that someone finds a way around this.
• Vscript cannot access senative files on the file system like the sourcemod database credentials
  • In this situation we created least privledge database users and we have automated db backups so someone who manages to escape the limits wont be able to do much.
• Vscript has hard limits on the resource utilization, meaning if someone wrote a vscript fork bomb it wouldnt kill the server.
  • I would also find it prudant to setup ulimits for your tf2 server, again in case somehow someone found a way around this.

All of these recommendations can be done using systemd, but that will require someone with decent knowledge of Linux.

​

With all that said, vscript can be used to impersonate and / or bully users, something for which we have a zero tolerance policy. We don't have any automated detection of this, but our moderation team is around almost 24/7 so this is not a big issue for us.

We don't employ any method of scanning maps; however if someone tries to execute an exploit or bully users via vscript / map logic they're permanently banned with no warning or possibility of reinstatement. So far we haven't had a single person attempt anything.

As for other exploits, you'll have to be more specific what you're worried about.

Hope that helps

 

[The Asylum]

In tf/cfg/vscript_convar_allowlist.txt you can add cvars to the list of vscript commands that you can enable/disable manually.

But for ultimate peace of mind, do some research first. If the map author is a long-tenured, upstanding paragon of the community (cough, cough), chances are they're on the up and up. Obviously the equivalent of a guy in a trench coat in an alley going "psst, hey buddy, wanna run some vscript maps?" is to be avoided.

 

[Where]

Thank you for the info guys, all very useful information

My first thought though was actually command execution, from what I've heard it's possible to make maps execute commands, say banning, or anything else malicious. I also heard there was protection from using some commands, but what about just using something like sm_rcon (pretty much universal on community) to dodge any blacklisted commands?
Is there a way I could easily check what commands a map might run?
I understand decompiling the map and simply reviewing a vscript file is simple enough, but I heard it's possible to have command execution in an actual map (like a vmf straight from hammer, not a script alongside it)

Thanks again for the info thus far, I think it'd be wise to take advantage of this communities moderation team and making sure maps are uploaded/verified here before running on my network. Sounds like a great security layer

Edit: or would that just be a situation where we could use tf/cfg/vscript_convar_allowlist.txt to block all commands? Also, is there a way to block everything EXCEPT certain commands? Just thinking I'd rather know everything is blocked except exactly what's intended
But again by the name of the txt tile I'm guessing this only applies to vscript, not commands from a map directly

 

[worMatty]

Mappers can use the entity point_servercommand to execute server commands. By default this is disabled by the convar sv_allow_point_servercommand. Be wary of anyone who asks you to change that. Some modes like Zombie Escape use it to print text to chat. As far as I know it's not possible to filter commands from this entity.

There are currently no security vulnerabilities I'm aware of involving custom maps. You should be able to run anything you want without worrying.