Skip to content

[SECURITY VULNERABILITY] Fix ReflectUtil by adding Polymod Blacklist#7005

Merged
Hundrec merged 2 commits intoFunkinCrew:dummy/develop-v0.8.4from
FuroYT:security-vuln/fix-reflectutil
Mar 27, 2026
Merged

[SECURITY VULNERABILITY] Fix ReflectUtil by adding Polymod Blacklist#7005
Hundrec merged 2 commits intoFunkinCrew:dummy/develop-v0.8.4from
FuroYT:security-vuln/fix-reflectutil

Conversation

@FuroYT
Copy link
Copy Markdown
Contributor

@FuroYT FuroYT commented Feb 26, 2026

Linked Issues

N/A

Description

This fixes a major bug where you could still access blacklisted classes through FlxSave.resolveFlixelClasses with ReflectUtil as it wasn't patched out to block certain fields but this Pull Requests fixes that and along side, it allows new functions onto ReflectUtil which are also protected via the same blacklist and import aliases

New Allowed but protected functions

  • callMethod
  • createEmptyInstance
  • createInstance
  • resolveClass
  • resolveEnum

Fixed Functions due to accessors and aliases

  • deleteAnonymousField (fixed accessing fields)
  • getAnonymousField (now uses aliases)
  • getProperty (now uses aliases)
  • hasAnonymousField (now uses aliases)
  • setAnonymousField (fixed accessing fields and using aliases)
  • setProperty (fixed accessing fields and using aliases)

Please do intensive testing so bugs doesn't slip through this

@github-actions github-actions Bot added status: pending triage Awaiting review. pr: haxe PR modifies game code. size: large A large pull request with more than 100 changes. labels Feb 26, 2026
@Hundrec Hundrec added the type: security vulnerability Involves a security vulnerability within the game. label Feb 27, 2026
@Hundrec Hundrec added the topic: mods Related to the creation or use of mods. label Feb 27, 2026
@Starexify Starexify mentioned this pull request Mar 7, 2026
Closed
EliteMasterEric
EliteMasterEric requested changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EliteMasterEric EliteMasterEric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code for this looks great, but I get several build errors from trying to use it myself!

Comment thread source/funkin/util/ReflectUtil.hx Outdated
Comment thread source/funkin/util/ReflectUtil.hx Outdated
Comment thread source/funkin/util/ReflectUtil.hx Outdated
Comment thread source/funkin/util/ReflectUtil.hx Outdated
@FuroYT
Copy link
Copy Markdown
Contributor Author

FuroYT commented Mar 9, 2026

Oops, let me fix them asap

@Hundrec Hundrec added status: needs revision Cannot be approved because it is awaiting some work by the contributor. and removed status: pending triage Awaiting review. labels Mar 9, 2026
@FuroYT FuroYT force-pushed the security-vuln/fix-reflectutil branch from 929d90b to 8f676b6 Compare March 9, 2026 15:36
@FuroYT
Copy link
Copy Markdown
Contributor Author

FuroYT commented Mar 9, 2026

Fixed the errors

@FuroYT FuroYT requested a review from EliteMasterEric March 9, 2026 15:40
@Hundrec Hundrec added status: pending triage Awaiting review. and removed status: needs revision Cannot be approved because it is awaiting some work by the contributor. labels Mar 9, 2026
EliteMasterEric
EliteMasterEric approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EliteMasterEric EliteMasterEric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great way of re-implementing this functionality in a way that still prevents vulnerabilities. I like the fact that it automatically pulls from the existing blacklist so we only need to update things once.

@EliteMasterEric EliteMasterEric added this to the 0.8.4 milestone Mar 10, 2026
@FuroYT FuroYT force-pushed the security-vuln/fix-reflectutil branch from 8f676b6 to 75e56b1 Compare March 10, 2026 21:50
@Hundrec Hundrec added status: reviewing internally Under consideration and testing. and removed status: pending triage Awaiting review. labels Mar 12, 2026
@Hundrec Hundrec removed this from the 0.8.4 milestone Mar 12, 2026
@EliteMasterEric EliteMasterEric added this to the 0.8.4 milestone Mar 12, 2026
@Hundrec Hundrec removed this from the 0.8.4 milestone Mar 13, 2026
@Hundrec Hundrec changed the base branch from develop to dummy/develop-v0.8.4 March 27, 2026 07:24
@Hundrec Hundrec added status: accepted PR was approved for contribution. If it's not already merged, it may be merged on a private branch. and removed status: reviewing internally Under consideration and testing. labels Mar 27, 2026
@Hundrec Hundrec added this to the 0.8.5 milestone Mar 27, 2026
@Hundrec Hundrec merged commit 2826e52 into FunkinCrew:dummy/develop-v0.8.4 Mar 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EliteMasterEric EliteMasterEric EliteMasterEric approved these changes

Assignees

No one assigned

Labels

pr: haxe PR modifies game code. size: large A large pull request with more than 100 changes. status: accepted PR was approved for contribution. If it's not already merged, it may be merged on a private branch. topic: mods Related to the creation or use of mods. type: security vulnerability Involves a security vulnerability within the game.

Milestone

0.8.6

Development

Successfully merging this pull request may close these issues.

3 participants

@FuroYT @EliteMasterEric @Hundrec