Godot always runs scripts in deserialized resources
In Godot, any resource that is deserialized by the engine will also be executed, regardless of if that deserialized data is actually used, effectively creating an arbitrary code execution vulnerability. For example, consider the following configuration file: 1
[Foobar] foobar=Object(Resource,"script":Object(GDScript,"resource_local_to_scene":false,"resource_name":"","script/source":"extends Resource func _init(): print(\"Hello, world!\")"))
With the ConfigFile API, loading this configuration file will also print Hello, world! to the console even if we don’t try to read the foobar value. 1
This issue may be addressed in the future by godotengine/godot-proposals#4925. 1 It can also be worked around by using get_var and store_var (see Arbitrary Code Execution in Godot serialization). 2