Implement a ManagedGDScript class

[ryanabx]

Describe the project you are working on

Godot, and a game that requires user scripting.

Describe the problem or limitation you are having in your project

Currently, a secure context is hard to achieve in Godot, and can't be achieved when allowing direct scripting with GDScript.

It should be fully noted that some 3rd party alternatives exist, and I'll list them here:

Godot_luaAPI: https://github.com/WeaselGames/godot_luaAPI
Godot-wasm: https://github.com/ashtonmeuser/godot-wasm

There are also related proposals in the area of Godot's security:

• A related proposal for sandboxing by Reduz: Implement a Sandbox mode #5010

• Another related proposal by me about alternatively expanding the feature set of the built-in Expression class: Enhance Expression features for more complex user scripting (Implement FunctionExpression) #7994

Describe the feature / enhancement and how it helps to overcome the problem or limitation

ManagedGDScript would extend GDScript and contain properties related to whitelisting:
whitelisted_functions
whitelisted_properties
etc.

A ManagedGDScript class would have the following limitations:

Objects with a ManagedGDScript script attached:

• Can only access functions, properties, etc. outlined in ManagedGDScript::whitelisted_functions, ManagedGDScript::whitelisted_properties, etc. whitelisted_functions and whitelisted_properties can include functions and properties from other classes, if necessary.
• The managed Object will not be able to access engine singletons, or even functions and properties in @GlobalScope, unless specified in the whitelisted members.
• Base object functions/properties/etc. would work internally as normal, but may or may not be accessible from the managed script based on the whitelist.

Describe how your proposal will work, with code, pseudo-code, mock-ups, and/or diagrams

Implementing a ManagedGDScript class would involve some potentially minor changes to how we evaluate scripts in Godot.

We would need to add a check for ManagedGDScript when the script attempts to get properties or set properties. I believe in GDScript internally, (correct me if I'm wrong) all property access is done through *.set() and *.get(), even if one uses . . If this is the case, then the problem becomes a lot simpler in that property access could be denied when the script is a ManagedGDScript and the property is not in the whitelisted_properties.

Similarly, functions would have to be checked for proper access.

All these changes would happen in the GDScript Analyzer, Compiler, etc. I originally thought about extending a ManagedScript to all Script types, but found the implementation bit to be too complex, and would likely involve modifying Object::set, Object::get, and Object::call which is very far from preferable.

If this enhancement will not be used often, can it be worked around with a few lines of script?

Since this is a new class, N/A

Is there a reason why this should be core and not an add-on in the asset library?

GDScript is a core module.

NOTE I believe that this would be fairly easy to implement, but I want to know if this approach has downsides that I haven't thought of, and I want to know if this feature would have enough support.

[bnolan]

Heya @ryanabx - great suggestion.

I would use this feature and would contribute to a bounty / support the development.