Skip to content

[WIP] find sandbox escapes #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 1 commit into from
Closed

[WIP] find sandbox escapes #12

Copilot wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Jul 22, 2025
edited
Loading

Finding Sandbox Escapes in OpenSB

Based on my analysis of the OpenSB repository, I'm creating a comprehensive plan to identify and fix potential sandbox escape vulnerabilities in this Roblox script builder.

Analysis Summary

OpenSB is a Roblox script builder with a sophisticated sandbox system located in /modules/server/wm/sandbox/. The sandbox includes:

  • Environment isolation (environment.luau)
  • Object wrapping system (wrapper/)
  • Security rules (rules.luau)
  • Instance blocking (blockedInstances/)
  • Stack safety checks

Potential Escape Vectors Identified

High Priority:

  • Stack traversal bypasses - seekSafeLevel and isStackSafe functions could have logic errors
  • getfenv/setfenv exploits - Environment manipulation functions are complex and error-prone
  • Wrapper system bypasses - Ways to obtain unwrapped references to bypass security
  • Debug library abuse - Limited but still exposed debug functions
  • Coroutine/thread escapes - Thread management and coroutine handling vulnerabilities

Medium Priority:

  • Metatable manipulation - Bypassing metatable protections
  • Instance creation bypasses - Circumventing blocked instance restrictions
  • Environment pollution - Contaminating shared environments
  • Reference leakage - Obtaining references to protected objects

Low Priority:

  • Error handling bypasses - Using error messages to leak information
  • String/table manipulation - Using library functions to escape
  • Timing attacks - Using performance characteristics to infer information

Implementation Plan

  • Create comprehensive test suite for all identified vectors
  • Fix critical stack safety vulnerabilities
  • Patch getfenv/setfenv security holes
  • Strengthen wrapper system integrity
  • Validate debug library safety
  • Test and validate all fixes
  • Document security improvements

Next Steps

  1. Build test suite to reproduce escape vectors
  2. Implement minimal targeted fixes
  3. Validate fixes don't break existing functionality

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@techs-sus techs-sus closed this Jul 22, 2025
@techs-sus techs-sus deleted the copilot/fix-ac54cfce-2622-4edd-b7f1-82dc58db7779 branch July 22, 2025 02:12
@techs-sus
Copy link
Collaborator

techs-sus commented Jul 22, 2025
edited
Loading

why does clicking that button in github's ui auto create a pull request???

alot of what it said is true though

Copilot AI requested a review from techs-sus July 22, 2025 02:17
@ewd3v
Copy link
Member

ewd3v commented Jul 22, 2025

💀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@techs-sus techs-sus Awaiting requested review from techs-sus

Assignees

@techs-sus techs-sus

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@techs-sus @ewd3v