Examples of what I mean by modding:
- minecraft mods: add some jar file into your mod folder
- skyrim mods: add some .esp file into your mod folder
- luanti: put some folder with .lua files and config into your .minetest/mods folder
Mods are basically “turing-complete” and can add different types of computation to your application, while integrating with the (GUI) system.
How to design a program that allow for modding?
With interpreted programming languages like python or lua, you can load code as strings at runtime … but is it done that way for these languages (that would be really bad for security)?
eval("print('mod loading ...')")
So roughly how I imagine modding in python to work, a demo in the python repl …
>>> items = {}
>>> newmod = """
... {"name": "holy-mod-sword", "value": 10, "do-damage": lambda x: x.firedamage(1000)}
... """
# loading the mod
>>> items["holy-mod-sword"] = eval(newmod)
>>> items
{'holy-mod-sword': {'name': 'holy-mod-sword', 'value': 10, 'do-damage': <function <lambda> at 0x7f8c710a9d00>}}
is it done that way or similar?
You must log in or register to comment.
Eval is bad for security boundaries and the string based approach is a pain to develop and maintain. An alternative that is equally bad for security but better for development would be dynamic imports using importlib.
If you want to support custom scripts while enforcing security boundaries, you could use an embeddable interpreter like lua, or create your own.
Usually, when games and programs natively support 3rd party mods/plugins its done so through a defined API - a modding API - just a bunch of functions made by the devs that allow you to register new stuff, change/override what already exists, react to events, … Example https://lua-api.factorio.com/latest/
Lua is often used as the language for the mods because it’s really easy to embed into a program (most games are done in compiled languages) and so creates a “sandbox” - you can only really call what the devs make available for the lua scripts.
I think as soon as you add mods to your application that can bring their own code with them you have a potential security issue. The most secure approach that I have seen is wasm mods/plugins run in a sandbox.
