Yesterday, I changed the save game code to use the var_to_str and str_to_var functions to save and load the save (20240617214349). I did this over JSON because in Godot, JSON does not round trip.

Unfortunately, this opens the possibility to arbitrary code execution vulnerabilities, as this will allow a malicious user to insert a script which gets run when the save is loaded.

Looking into what options I have, I found that store_var and get_var let you read and write Variants while preventing scripts from running. In the documentation, it states:

Godot Documentation

Stores any Variant value in the file. If full_objects is true, encoding objects is allowed (and can potentially include code).

And I also found a GitHub issue godotengine/godot#4925 about this, where store_var and get_var are suggested as a workaround.

dalexeev:

I agree that File.store_var/get_var in combination with a dictionary is already sufficient for a convenient implementation of save files. Although the analog of allow_objects should be added to the VariantParser, so that text serialization (for example, ConfigFile) also becomes safe.