Don't Starve Together

Don't Starve Together

Simple Health Bar DST
Noeda 20 Jan, 2024 @ 8:39pm
Suspicious HTTP-related code found when studying the deobfuscated code of this mod
Hello DYC (also I guess this is a community PSA) There's something in your code that's raising me some eyebrows.

I'm someone who runs a private server for some friends. We wanted to make (private, not going to be published) modifications on this mod on how some colors are handled by the mod just for our own private games.

Since you like to go through obfuscating your code, I went through some automatic (+ bunch of manual) deobfuscation to study how the mod works and make a plan how to get our custom color stuff in. This post is not about the color stuff though.

I found things in the code that feels like it has no place in a health bar mod.

My red flag is a piece of networking code in `dycmisc.lua` communicating with http://dreamlo.com/lb/. I see functions going through Klei's functions to make GET requests and ... also add information with GET requests (I think the site is not well designed, should POST that instead...but whatever).

From what I can tell, this networking code in dycmisc.lua is inert in this Health Bar Mod. I modified all the calls to abort the game and alert if any of the networking calls are actually used, and the code paths were never triggered; and from code reading also didn't show me how they could get possibly get invoked (although given that even after deobfuscation it's hard to follow exactly, I'm not 100% absolutely sure it will never trigger ever).

I know you also contributed many other great mods; I checked the DS version of the mod (https://steamhost.cn/steamcommunity_com/sharedfiles/filedetails/?id=1608490902) and it had very similar networking code present, also communicating with https://dreamlo.com/lb/ It also looks inert, so nothing is actually sent or read.

Here are my questions

1. Has this networking part of the code ever been actively used? I'm not talking about just this particular mod, but all your DS/DST mods in general, and the many past versions of this mod (which Steam doesn't let me download...if anyone knows how to get older versions of mods I'd love to know how). We've been using some of your mods because we like them.

2. If the answer is yes, what data was sent out and for what purpose? That dreamlo.com site looks like a fairly simple scoring service so I'm not too concerned...but still would want to know why does that code exist.

I run DST servers for people who are very privacy conscious and really care about this sort of stuff. I don't want mods to randomly send out any information about our games to random unencrypted HTTP sites that are never mentioned anywhere in the mod description. At least change the URL for the dreamlo.com to HTTPS if you plan to use this in the future, as the site seems to not be configured to redirect automatically from HTTP to HTTPS. And if start using this, mention it in the mod description.

(Side tangent...some of this is on me because I didn't do my due diligence properly at first...finding this piece of code kind of woke me up that I need to really up my due diligence and sandboxing on other games and mods since I run other dedicated servers than just DST with mods).