What if I'm hosting a HTTP server on my LAN network and want garrysmod to be able to access it?

I can't really think of any reasons why you'd want to connect to HTTP server on a private network. For developing an addon, you could just host it on a local computer. Otherwise, you could port forward the HTTP server, and use your public IP address.

I was considering hosting a neural network for some weird projects. Not a big fan of LAN limiting idea. Considering any html webpage can do it too, I don't see why gmod has to be neutered for the sake of outdated crap.

I don't believe any web page could do it, definitely not public ones, usually browsers comes with CSP which prevents such attacks. Otherwise I'd be really concerned about browsing the internet, especially when consumer grade routers are known for their bad security.

Also, GMod users that do such experiments are very few, compared to the whole GMod community. I don't believe everyone should risk getting compromised for very few use cases used by few users.

The whole idea I like about Garry's Mod is that I can trust the game enough for it to run other people content without getting my network or computer compromised. Usually other exploits such executing binaries are patched within days, not sure why this is not considered a high security risk.

easy solution: make a convar to toggle it off for those few advanced users so everyone wins (it's up to debate if you add the archive flag to it)

Also you can proxy stuff around by using the loopback interface to selectively whitelist a service

Also, it could just be limited clientside if necessary.

This is a great example of the dangers with saying "what if".

Trying to use this as an actual exploit to attack people is simply impractical and nearly impossible.

Blocking it would be useless and would just hinder actual uses, like local webservers.

Oh really? You don't think I could write worm of some kind?

Yes, you couldn't.

I honestly don't. Not with a http request alone.

1. I could determine list of common routers and modems used by ISP and consumers in general, and determine what their default passwords are and vulnerabilities are. For instance this modem doesn't even require login access to make changes to it.
2. Next, I would run a script on all clients. The script would brute force various IP's check what firmware the device is running, by fingerprinting. And run firmware specific script for that device. I could possibly implement for it to make request to my control server, see if I get many requests for some unknown router, I then could dynamically implement the new exploit for that device.
3. Next, when I gotten access to the router, I could change DNS settings to link the queries to my own server. This could potentially allow for me to monitor client's traffic; nfoservers still use FTP, which would make easy way to get access to other servers. Otherwise, I could just find a list of commonly requested pages from GMod addons, and just inject Lua. Now I have access to clients' Lua state within all servers using an addon that also has HTML with :AllowCSLua(). JukeBox for instance is really popular one.
4. I bet few of the clients is going to be superadmin of some other server. I execute some code to execute my worm on all clients. Go to step 2.

I might aswell just avoid doing it everything through Lua and allow remote access to the routers... And then manage them remotely.

This could be happening as we speaking right now, if the attacker is smart, he'll stay quiet. Unlike as it was with the cough cough worm.

There is also the workshop, just have a popular workshop addon, or multiple of small, and just inject your exploit code.

That's just few uses case, there's probably shit ton of others. This kind of shit is what allowed Mirai virus to get spread...

That'd be one really shit router. Again though, any other app would be able to do that too.

I'm yet to see an app that could do that, that is which you wouldn't have control over what requests are being ran, other than GMod.

And most people have a shitty routers, in general most consumer routers don't consider security seriously. Just because you might have fancy one, doesn't mean everyone else has such. Again, rare cases, by few users.

Ask any security professional if they'd allow anyone to bring their routers to their business environment, they'll instantly say no. There are other reasons too, but web interface+consumer grade are also one of the reasons.

Sorry, I just can't get behind it. Update your routers, they're probably already running Chinese/Russian botnet code if they are that vulnerable.

IMO the router/NAS/LAN attacks aren't even the biggest problem here.

Clientside HTTP means that servers you join (or a rogue admins with lua access) can make your computer request any arbitrary site in the background (including JS-Cryptominers, IP-loggers, Jailbait or just huge/many files to clog your connection/DDOS the host).

This issue becomes much more dangerous with certain addons allowing normal players to do this to any/all players. @thegrb93 's Starfall used to have this problem in the default config for years (and you can still trick people to toggle a checkbox that effectively enables a full http proxy through that players connection) and I think PAC3 and several of the "streaming/mediaplayer" addons allow all players to make all other players request completely arbitrary locations.

Everything can be exploited if you are brave enough. If you are scared of "bad usage" of any feature of any program, you better turn off your pc and go outside forever, to life without digital computers.

Rubat, with all due respect, that is not a good idea.

Disabling the JS<->Lua bridge and removing HTTP from clients singlehandedly breaks an incredible amount of stuff, including much of the work myself and others have spent years making.

The theoretical security issues do not outweigh the functionality we would lose as a result. Going down the path of removing web functionality is going to totally gimp GMod's capabilities in this web-based world.

Instead, if I may suggest an alternative, simply have GMod figure out what the local network(s) are, and don't allow HTTP or the web framework to access anything on those networks.

Maybe even just blacklist all of the Private IP address blocks.

These options would limit some functionality still, but it's way better than flat out breaking most of Media Player/Cinema/anything that uses this stuff.

You could even maybe make a (blocked) ConVar that developers can toggle if they need to access stuff on their local network.

Please reconsider.

Implementation wise, HTTP() shouldn't be difficult to patch. Just resolve the domain before making an actual request and check if the IP address is private or not. Though, I don't know how specifically GMod handles HTTP, more specifically in cases such as 301 redirects.

Now with stuff like chromium/awesomium specifically, it might be harder to implement such protection. Since a lot of separate requests are made from within a single web page, including: javascript, css, images, and etc. So checking initial request wouldn't be enough.

One way I could possibly see this easily implemented is creating a custom localhost proxy server on the system, and configuring the chromium to go through that proxy. The proxy would check the request packets and block the ones made to private networks.

The proxy server would be part of the game, possibly loaded by a linked-library when the game starts. And having an option to bypass the proxy checker with a cvar wouldn't be difficult to implement.

Note: I haven't used chromium framework before, but I'd believe it would support proxies as any other browser currently does.

301 Redirects are definitely followed by http.Fetch, which also means you can bypass most "sanitizers" by just pointing to a url-shortener which leads to whatever host, ip, port or GET-parameters you want.

And if you already into proxy-territory one might as well proxy via the server itself.

There are issues by having a proxy on game server.

• Bandwidth: It would eat up the bandwidth of the server when people are streaming youtube videos at 1080p60.
• Firewalls: Server owners would have to open the ports manually. That is, after spending hours of research why http is not working for their clients.
• Latency: Since everything is routed through the game server, this can have significant impact on request latency, based on the locations. Basically latency(client<->game_server)+latency(game_server<->web_server) instead of just latency(client<->web_server)
• Shared servers: Which instance would own the proxy service on shared box? This could potentially get resolved by randomizing port numbers. But then you have an issue with firewalls.
• Potential denial of service: Its not unusual for webservices to temporarily block IP addresses based on number of queries from a single IP. Since all the clients requests are routed through a single server, a web service is more likely to block the server from making any further requests.

I could go on and on... But this should be a plenty of reasons why not to host the proxy server-side.

Can't wait for the next *cough* virus

This is a waste of time

Keep saying that until you join a server and suddenly your router is apart of a botnet