I was COMPLETELY WRONG about saves in Godot... ( ; - ;) 

Its really cool when people recognise their mistakes makes me like this channel even more

Me : stores save data in Json Everyone : bad idea, bad practice, use resources Me now : *overexagerated air of superiority*

Becareful with XML as that could lead to what is known as the Billion Laughs or XXE if you are doing server side stuff. JSON is far more safe if that's the route you want to go down.

You can find the open-source demo and updated save game guide here: gdquest.github.io/godot-demos-2022/save-game/ In the next video, we'll share a simple trick to optimize your 2D. Stay tuned!

Also note You can use .res or .tres files .res will put the data into unreadable in a text file but data that it uses .tres will put the data into readable data in a text file I think use tres for things you dont care about being edited, or while debugging/testing/building the game maybe change it to .res when you are sharing a build/version of the game Maybe have code that lets you just change one line that will affect all of them to be tres or res so you dont have to go through updating .tres or .res in your code just do it one time, to easily swap back and forth. Maybe even save the .tres and .res files in different folders or something to make it easy to make sure you have no .tres files in your shared projects so people cannot edit the data. This is just a thought!

I save my game data as serialized binary data. It's a hassle to impliment all of that with read and write but it's security and file size is top notch.

Safe is relative, anyone downloading a saved game from a random website always has the possibility of it having a virus. I'm not saying that we shouldn't take preventative measures to make sure our code is safer for the end user, but at some point, it is the end user's responsibility.

This reminds me of how the machine learning community is using Python pickle files to distribute neural networks. Python pickle files may hold malicious code. It is a bad practice and you should use inert formats like JSON instead.

Godot should have some sort of security system that allows you to disable file operations, maybe a project setting or whatnot atm it's extra dangerous with multiplayer At least a way for the project to check if a script contains File related stuff, allowing you to prevent loading of resources that do

It would be nice if you could disable scripts in resources like that, and just make it easier to write safe code and easier to read. Or even if you could disable certain callbakc functions like _init, _ready, _process or _physics_process.

2 solutions popped into my head while watching the video. 1. If saving in a text format rather than binary, first open the save file as text rather than with the ResourceLoader. Scan it for malicious keywords (like func!) so no dangerous code can be executed. Some method of filtering the types allowed would be welcome though (like banning Callables in Godot 4). 2. Generate a key for the save file and make sure you get the same key on load, preferably in a compiled language so nobody can figure out what goes into it exactly. The raw contents of the file from that key onwards would play a part in addition to manually putting together many different variables. The downside is that, outside of small edits to stats that can be easily calculated by the user, tampering with save files is impossible this way. But downloading existing saves is no problem.

If you save ends up dictionary, what's the point using resource? Why not use dictionary from begin to end?

Glad you corrected this, I saw your other video, goes to show you though that you can't just follower what you see on YT. There are other YTers one comes to mind more vividly whose argument was "Godot does it so this is the intended way." You can and will hit the same issue with var_to_file if you are including code there. In my saves I serialize all my data into a dictionary and just var to file that without including objects. This way he information must be de-serialized for that layer of safety.

Well, to make things more precise, your previous approach was perfectly fine for locally saved games. If a hacker has access to the saved games, it means they could simply alter the game's scripts too by editing the pck's content or the binary manually. Some already hacked Sonic Colors Ultimate using this technique. So there's not really a security increase here. This new approach makes more sense if you have to upload the saved game to a server, but the server will still have to check itself if the received JSON is using the expected format anyway. I guess JSON is a little bit easier to parse than Godot resource files but, theoretically, it should not be impossible to parse and verify a sent Godot .tres file. So in the end, I think your previous method was perfectly fine. The new one maybe makes it a little bit more complex to inject code in the game, but it does not increase security in a significant manner IMO. It's basically the equivalent of local save game encryption, as it "obfuscates" things a little bit but won't stop anyone determined enough to hack your game.

How would you make the main playerdata resource file that everything like position and all that would be written and loadable? having hella issues with it not wanting to write anything and someone told me id have to look into it, but im just not understanding anything at all bc most videos i come across all of that is already made and it just goes to creating the save resource. plz help

XML-Injection is a very common security risk. I don't know how complete is the XML interpreter on Godot, but if it has half the features XML usually has it can very well do things like code execution, code injection, downloads, etc. Stick to JSON.

Hey! Thanks for this. Do you know if it is still a problem in Godot4?

Unity (technically c#, but I found that this issue is most common in Unity) has this issue too with the BinaryFormatter class. There are some pretty big games (untitled goose sim for example) that had issues with RCE.

Why is it necessary to to declare character = Character.new() again on line 65? Isn't it already declared at the beginning of the script?

The demo project no longer exists :( Can you reupload it? I was just starting to understand inventories and json!

How can we access the save game demo these days? The link in the description leads to a 404 error

Any updates on this? Are resources still unsafe?

Do we have to do this for Godot 4 as well?

I'm curious if this vulnerability still exists in godot 4.x?

A but late but how does this make Config Files vulnerable?

With this in mind. How would you go about letting users mod your game with resources? Is there the same risk?

How does Unity avoid this problem?

how is this any different than sharedPreferences?

I dont usually comment on YT, but saving is a massive thing to figure out how to do and on the last project I started, I tried a thing and seemed to be successful on it. for this project I save on godot by generating a JSON file with the variables of the script I wanna save. example: # generating array with the variables: const baseFilePath = "res://SaveData/" var file_name = "res://SaveData/slot1" var data := {} var s_slot := 1 func save(): for v in globals.get_script().get_script_property_list(): saveData(v.name, globals.get(v.name)) # (globals being the script I'm pulling from) # then on the saveData function it goes: func saveData(variableName, value): var dir = Directory.new() dir.remove("res://SaveData/slot" + str(s_slot)) data[variableName] = value var file = File.new() file.open(file_name,File.WRITE) file.store_string(to_json(data)) file.close() # probably not the most elegant way to do it, doesnt even encrypt the data, but it seems to work. # This passes the current values to the savefile and it is easy to add more variables later in development, since it is grabbing everything from the script. # And then to load I search the variables of the "in game" script on the json file with: func loadData(): var file = File.new() if file.file_exists(file_name): file.open(file_name, File.READ) var savefileData = parse_json(file.get_as_text()) file.close() if typeof(savefileData) == TYPE_DICTIONARY: data = savefileData for v in globals.get_script().get_script_property_list(): var name = v.name globals.set(name, data[name]) print(globals.inventory) get_tree().paused = false globals.load_room(data.room, str2var(data.position), str2var(data.rotation)) # And with that, we never add new code to the game script, as it will search for the immutable internal names ignoring anything that is not part of those names. Once the load_room(), that is basically a change_scene with some extra oomph, runs, the level is loaded, the position/rotation of the player is set and all the global variables (ie. health, ammo, already picked up objects) are set to their loaded values as globals is a singleton. # doing this way, I assume, takes out the risk of having extra code injected while remaining simple and modular, instead of referencing every value I wanna save by hand. # sorry for the long comment, jsut wanted to share the way I go about doing this process. # if there are any exploits with this way of doing the safe file, please let me know.

Two questions: 1. Is the issue concerning only for saving files online (eg for multiplayer games)? 2. Isn't the json file easily editable by the player? How can we make it unreadable to prevent the player from cheating the game changing the values in the json save file?

I now have made a frankenstein solution with this... I have whole objects as binary in my JSON dictionary, where it was too tedious to unwrap. Those could also be injected with malicious code. But I encrypt the save file with unique user passwords so it should be alright.

Godot has the inst2dict() and dict2inst(), which are able to convert Objects into Dictionary and vice-versa, are they good to use in saves?

Yes, but you know that the downside of JSON and XML is that they're human-readable text format... so anyone in this instance can open it up in any text editor and therefore cheat / hack the game... While when the binary format is used, the less amount of people can modify it and also harder it is...

Very informative, thanks

Hi! I'm using the ResourceSaver to save the game. Then I copy the content using the File.open_encrypted_with_pass to encrypt the content. Anyone knows if I can be hacked that way? Thanks!

I somehow managed to search for this channel 55 seconds after it uploaded lol

I wonder if it’s possible to override the resource saver/loader to include a key for encrypting the save file and then decrypt it using that key. If you have your game generate a local key and then the save is created with that key, then in theory you shouldn’t be able to open the new file as the keys won’t match (I’m oversimplifying). At any rate I prefer the resource approach over json. I may have to look at whether this key idea holds water or not. ;)

I don't convert my dictionary data to anything other than JSON. I load the dictionary into an autoload script, and use the data from that for the entire game. Since it is always available, it saves and retrieves the game configuration across all the menus, and is available during game play. This way, any variable that needs to be configurable can be placed in the dictionary/JSON file and be changed through menus, or by power users who want to tweak the game using JSON. I have two types of network data; High Security Authentication, and minimized unsecured game play streaming data. The game play data can be considered somewhat secure, because using bitwise and/or operators (and enumerators to see what is going on) I can put 64 data members in a single integer. So game play data could be a list, or dictionary, with few floating point numbers for coordinates, an integer to describe the character/game state, and an id to find the character in the game.

there is no way to make saving/loading method with resources secure?

Any example of maybe using Firebase to save your save data?

Do you know a way to save InputEvents using json? As in user-defined keybinds? Most people suggest using a resource but this exploit seems very under-reported

Is this 'correction' in the Kickstarter course?

Can't the resource file be encrypted? If so there is not how to inject code but from the encripter itself.

Thanks for sharing

So godot 4 us out, did they release that json+resource system?

Why is there no option to just disable loading of scripts?

guys please i need a way to make a voice typing in godot please

I almost hate to say it, but problems like this are why code signing was invented.

Hi Pls how can I add animation my game(coding)

Is there a sane/safe method of supporting mods for the game? I mean exposing some interface of the game, allowing modders to use Godot to create new logic (because why not facilitate already existing tool) and then (safely) loading the mod? I guess if we only limit ourselves to data-driven approach then I guess we can always use json, but we lose scriptability.

now if only there was an API that supports Godot's native type serialization, disallows objects by default, and comes with support for encryption as an extra. :) imho File (store_var and get_var) is generally the most suitable API for savegame serialization and I am surprised it's not being mentioned. I wouldn't recommend JSON or XML unless you need to interface with external applications/servers.

I'm glad this is happening.

It was too good to be true😂 When I saw your video on saving with resources I was so happy I dont have to use File class anymore but I guess Ill stick with that method.

To save in json or xml, which are local text files, still does not prevent players to unlock paid content they did not paid for. If you make a game with online community/monetary features, I would suggest to save your data in a remote database. Also, I think it would be nice to highlight the cases where it is okay to save/load locally with godot’s solution (offline game, or even simple multiplayer games with no community/monetary aspect). In these sort of games, only the player can modify their save files, and it only affect their own experience. As soon as you have online community feature, shops and monetary reward, you would need to save your data in a database.

I'm not sure whether you still reply to old videos, but here's the thing though: If you need to save textures and the kinds, the resource method is the only way to do it no? You could save the textures as images in a path and then save the path, but that's soooo hacky and weird.

For game saves, you probably want to use some binary format with basic encryption or at least encoding, so it won't be that easily user modifiable as editing JSON file using notepad. But for loading and saving your config file, this tutorial is a great example!

Great video and good points made by everyone!

Would you perhaps be open to doing a video on saves with encryption? There's not a ton of videos/helpful and clear guides on it for Godot and it's really good for say helping deter people from cheating or giving themselves steam achievements etc. so I think a lot of people could benefit from it~ ^-^

ill still make custom files and file loaders for saves

Isn't easier to just change the format that the resource is written to disk? Kinda similar to what you did with the JSON layer, but using the resource directly without worrying about that extra layer

I don't understand, this seems more like an issue for players who are downloading weird programs/save files from sketchy websites, rather than an problem on the developer end? Like, your average indie gamedev isn't going to have the scenario of their game infecting players' computers if they simply don't hide a virus inside the game?

I had no idea resources were capable of arbitrary code execution...Makes sense, though.

but someone would have to modify the resource to insert a virus

Shouldn't it be possible to use resources as before but filter out everything but the safe stuff when loading it?

still, players can access the json file and change the save file

Any file can be malicious. I think this isn't a real reason to not use resources for saving

i wish u deleted the other vid or linked to this one. i just wrote off JSON for no reason 😭

When you already built a whole game with resources:

To err is human, and I think all of us here commend you for actually correcting yourself when needed. Great job!

You should probably take the other video down. It's still recommended and some people are still using it without reading the description for the link to this video.

Good video! But honestly, if the vulnerability as I understand it is that only people who are downloading saves from online are at risk then to my mind that's an end-user problem. You can't walk through a minefield and pretend you won't step on one. That said, I might be misunderstanding the issue and I think an online or multiplayer game would have much more risk than say a singleplayer offline game and would be worth investing much more time and effort into security. In any case I respect you putting a correction video out and you got a subscriber!

What about binary?

yeah, i guess godot resources is not the best thing ever

I already expected this to happen, since Godot is written in C++, which, by default, has no memory security built-in in mind. Dealing with binaries in native will eventually leads to vulnerability if the source of the file is untrusted. (Godot already put side notes on this but people rarely pay attention on it, including many of famous Godot tutorial makers), and it's also part of reason that Godot suggest saving files in standardised/human-readable formats (like, JSON) rather than this type of "easy" way, although it's not the best way to do it.

How to save in godot: Just press ctrl+S simple.

C# users: this bullshit class doesnt even exist. Don't waste your time.

LOL, someone yelled at me in the Godot discord for telling them to save gamestate with JSON because it'll be more interoperable with whatever they may want to do in the future. Do I post this video there?

If godot supported writing normal binary files without having to go through resources this wouldn't be an issue 🙄

I say let people edit their savefiles in single player games. Too much energy is put in to stopping people from cheating when there are very simple ways to get around it ALL. If they are motivated enough to find the save file, they will be motivated enough to download Cheat Engine. To me, once the game is in a player's hands, it is theirs to do what they please with. If cheating makes it more fun for them, great! Why should I care? When devs make a big deal about it it feels like Big Brother is mad you aren't playing his game the way he wants.

My God, you still have it wrong. Your default data management is crap. You need a global game state structure. That should include chapter/level/scene, narrative path, resources/achievements/weapons/inventory, character class/stats/position/action, interactable objects status, maybe enemy/npc stats/spawning positions. Some of these can reset on load - not important on game save/load. All of these should be reset for a separate play trough (new game), some may be random seed generated. The exact storage system needs to be compatible with the target system: A database (or a whole load of servers, or cloud provider) for multiplayer hosted games, or whatever Mac OS, Android, Switch, Playstation expects (windows is a mess - use what's easiest, linux expect some sort of file in the user/home path). I know Android apps are generally expected to tie the save states to a google account. Online games need to process state on the server and save it with an account system and into a database. There's no going around it. On the client you just get display and sound playback and send input. Make sure you figure out what is an object or action in the world and needs to be on the server, and what is an effect (that lives on the client). For game prototypes and game jams use whatever you can get away with - csv, resources(serialized objects are indeed dangerous if your game revives functions), json. I expect the minimal single player commercial game to save system settings in whatever is simpler, and game state to either json or sqlite or a custom binary format.

Lost straight from the beginning. Make stuff more simplified, or explain what things are. You started off with json and im already done.

You should remove your previous video - it's outright dangerous to spread the old information and there's no guarantee everyone who clicks on the old one will make their way to this video