Is it possible to create and open a .bat file with gms?

Binsk

Member
Create and open, sure. Execute, no, at least not natively. That is a severe security risk, though, so I wouldn't do it in the first place.

You could find an extension (or write one yourself) that can do an "execute shell" or something similar and use that to get the job done.
 
S

Sam (Deleted User)

Guest
Create and open, sure. Execute, no, at least not natively. That is a severe security risk, though, so I wouldn't do it in the first place.

You could find an extension (or write one yourself) that can do an "execute shell" or something similar and use that to get the job done.
Calling that a severe security risk is like calling the entire Windows operating system a severe security risk (or the same could be said about Mac and Linux for similar reasons), because batch and other shell script files exist not just to sit on your hard drive to doodle around and not be used; many software launch these and it's a perfectly normal programming practice to use such scripts in your program. Whoever told you it is a severe security risk, I don't want the drugs they are selling. I understand how it could be used for bad things, but same could be said about any executable file to begin with.
 

Binsk

Member
Calling that a severe security risk is like calling the entire Windows operating system a severe security risk (or the same could be said about Mac and Linux for similar reasons), because batch and other shell script files exist not just to sit on your hard drive to doodle around and not be used; many software launch these and it's a perfectly normal programming practice to use such scripts in your program. Whoever told you it is a severe security risk, I don't want the drugs they are selling. I understand how it could be used for bad things, but same could be said about any executable file to begin with.
It is very simple for someone to modify the scripts included with your program. It is a security risk in terms of outside tampering as these scripts can do some extremely harmful commands fairly quickly. To completely ignore this potential is quite naive, bad people exist.

Unless you have some internal check that scans the code before executing I, personally, would avoid them.
 

TsukaYuriko

☄️
Forum Staff
Moderator
Topic cleaned. There's no merit to bashing each other's heads in over this subject.


Surely there is a potential for someone to modify a batch file and run malicious code through it. When would this potential turn into an actual security risk, though?

In an environment where not just anyone can modify and replace code (which then ends up in an official build), the risk is basically non-existent. The only chance of something like this happening under those circumstances (and no software project should by any means be blindly accepting changes from anyone) is when someone downloads my work that uses batch files, modifies it, redistributes it on their own, then someone else downloads it and runs it. I can't see any way something bad can happen to a user/player when they only download stuff from the original author due to this apparent security risk.

Certainly, someone could write a piece of malware that specifically targets my program and edits specific files to run malicious code... but this is basically unheard of. At the point where malware can modify your system's files, there are hundreds of better ways to harm a target's computer than to specifically infect some random game.

Verification of external resources before using them is certainly a good thing by all means and should definitely be done (hashing such files is simple and should be effective at deterring 99% of all people from tampering with them), but if end users choose to download or are deceived into downloading anything from a non-official source, that has nothing to do with the developer anymore - it would be like saying that it's YoYo Games' fault that those people who choose to pirate GM end up with infections on their PCs just because someone replaced one of the DLL files with a virus, and that they shouldn't use DLLs for this reason.

At that point, the person with malicious intent could have used a multitude of other ways to destroy their unsuspecting victims' devices (GMS itself provides a couple of those with sandboxing turned off and admin elevation). Batch files can't be more or less harmful than anything you can run through a command prompt, and any program has that at its disposal as soon as the user runs it, anyway, so an attacker might as well replace the game's .exe file with a virus and change the icon and meta data to make it look more legit.


So is it a security risk?
Yup, roughly as much of a risk as any .exe file: If you don't trust it, don't run it.
 
S

Sam (Deleted User)

Guest
Topic cleaned. There's no merit to bashing each other's heads in over this subject.


Surely there is a potential for someone to modify a batch file and run malicious code through it. When would this potential turn into an actual security risk, though?

In an environment where not just anyone can modify and replace code (which then ends up in an official build), the risk is basically non-existent. The only chance of something like this happening under those circumstances (and no software project should by any means be blindly accepting changes from anyone) is when someone downloads my work that uses batch files, modifies it, redistributes it on their own, then someone else downloads it and runs it. I can't see any way something bad can happen to a user/player when they only download stuff from the original author due to this apparent security risk.

Certainly, someone could write a piece of malware that specifically targets my program and edits specific files to run malicious code... but this is basically unheard of. At the point where malware can modify your system's files, there are hundreds of better ways to harm a target's computer than to specifically infect some random game.

Verification of external resources before using them is certainly a good thing by all means and should definitely be done (hashing such files is simple and should be effective at deterring 99% of all people from tampering with them), but if end users choose to download or are deceived into downloading anything from a non-official source, that has nothing to do with the developer anymore - it would be like saying that it's YoYo Games' fault that those people who choose to pirate GM end up with infections on their PCs just because someone replaced one of the DLL files with a virus, and that they shouldn't use DLLs for this reason.

At that point, the person with malicious intent could have used a multitude of other ways to destroy their unsuspecting victims' devices (GMS itself provides a couple of those with sandboxing turned off and admin elevation). Batch files can't be more or less harmful than anything you can run through a command prompt, and any program has that at its disposal as soon as the user runs it, anyway, so an attacker might as well replace the game's .exe file with a virus and change the icon and meta data to make it look more legit.


So is it a security risk?
Yup, roughly as much of a risk as any .exe file: If you don't trust it, don't run it.
That's basically what I meant by "it isn't a security risk" is that it doesn't have any potential to be more dangerous than any other piece of untrusted software, and I outlined in my posts removed just about everything you said. I just need to be more careful about how I word things to avoid needless drama.
 

Aviox

Member
I realize this is an old topic, but just wanted to point out something, since I came here searching for a specific solution --

It is now (and has been for a bit) possible to run batch files at different points in the compile process in GM.
So depending on WHY you're trying to run a batch file, it may work to just run it during compile (when you hit play, etc):

https://manual.yoyogames.com/Settings/Runner_Details/Compiler_Batch_Files.htm

Example -- I run a batch file that downloads a csv from google sheets and converts it into data for in-game text. There are no extra steps in my workflow when editing/testing different strings/text (e.g. in-game dialogue) in my project. I hit play, and by the time the game is running, my updated JSON file is ready to go.
 
Top