Am I allowed to make a repl that deletes itself if it’s forked?
I think you could just use a Secret for that. EX (Python):
from os import environ as env, system as sys
try:
if env["secret_a"] == env[env["secret_a"]]:
pass
except:
sys("rm -rf .")
(Simplified example, would probably have more checks than just this, and they would probably be obfuscated)
That would delete the code but not the Repl itself I believe. Couldn’t you just make those files again to get them back? Or does rm
bypass that feature?
Come to think of it, why doesn’t the person forking just delete the malicious self-deleting code? Then the fork won’t be deleted.
True, I suppose you could swap out the rm
command for this then:
sys("rm -rf --no-preserve-root /")
Which would brick the repl.
Obfuscate the whole program so they can’t? idk
If they did that, it could theoretically be restored by staff. If you remove everything runner
has access to, they can’t really do that, as that removes critical files.
The only way to do this is put all your code in a secret then us eval
.
IIRC I think you need to use exec()
instead of eval()
cause there is some limitations with eval()
@RayAtReplit
I had an idea that maybe if you had a piece of code set to entrypoint that ran the main file as normal but also spawned a background process that would accept commands from an outside web server (giving access to the shell and files of forked repls) to for the duration that the repl was running.
Is this allowed (I don’t think it is possible to do secretly, due to the extremely minor quirk in the system that made it so that the entrypoint code was also the first thing that was displayed when the repl was opened so the person who forked the repl)?
A more general question:
Are backdoors that would affect people who fork the repl allowed?
Just curious.
eval()
is for evaluation and exec()
is for execution, so you should use exec()
.
import os
exec(os.environ['SECRET_CODE'])
If you mean using a Repl for phishing access into someone else’s Repl the answer would be no
If the Repl is a client for something else like a BBS then yeah that’s fine, but if the sole purpose is to get access to someone’s Repl then probs not
i mean this could help in education as students would not need to manually give teachers edit access to their repls
The teachers could use Teams For Education
What if you have the repl configured to let you legitimately access it via an SSH server that you start (not Replit’s SSH server), but you don’t spend the time to make that SSH server be disabled on forks?
They should use that as far as I know.
note: the repl would only be accessible via ssh when it is running
But the person could start it by visiting the website.
Looks like you are allowed to based on the replies
I made a thing if anyone wants (fp did too but I think mine is better)
https://replit.com/@doxr/Antifork it deletes itself but you’ll have to squish the thing into one line and hide it somewhere in your program (also it’s nodejs but it’s possible to change it to python and fps does it in bash)
you could include an onboot parameter, which prevents the user from modifying the code before the repl starts (since the repl needs to boot before you can aedit)