ND Core (v2 just released!)

NDCore

DocumentationGithubRepository

ND Framework recently received a v2 update, you can find all information in the documentation.


What is ND?

ND is a multipurpose framework focused on security, usability and simple developer experience that fits everyone. The core itself has a character system, advanced vehicle system, interactive ped system, death system, and much more that developers can easily use to create resources for the community. And this is just the core, the core is utilized to make amazing resources some which you can find below.

Why use ND?

ND is growing very fast with new users everyday, if you’re a server owner you can take advantage of the simplicity and how easy you can make new things for your server. If you’re a developer we have a very good documentation that will show you how much ND will make your life easier. You can develop scripts way quicker than if you wouldn’t use ND.

We also have very good support to help you if you run into any roadblocks. And this is all free!

What makes ND different?

When ND v1 was released it was criticized by many developers and we received a lot of feedback which improved ND very quickly. ND was completely rewritten for v2 and focused heavily on security and optimization. It has been heavily tested and is constantly improving. You can check it out for yourself it’s open source.

ND v2 also came with backwards compatibility for esx & qb which means if you have any esx or qb resources that you wish to install on your server, they will simply work as if they were running with their intended framework.


Resources:


Compatible resources:


Older backwards compatible resources (these will receive updates in the near future):

28 Likes

Note for readers, that was mentioned here was already fixed by the author

The first issue, it’s pretty neat that any player can drop any other player if they wanted to

Two main things here, usually frameworks have player objects for two main reasons:

  • exposing direct db calls on events is not a very good idea, a bad actor can spam the shit out of it and lead to your server crashing.
  • GetPlayerIdentifier(player, 1) assumes that license will always be on that key, but it isn’t guaranteed.

Why are you using like here for license, when it should just be a regular check?

Basically, every line after this is exploitable

None of these events are checked at all, and they all send whatever arguments they’re provided to every user so a bad actor can fill it with a bunch of invalid data and spam every client.

https://github.com/Andyyy7666/ND_Framework/blob/main/ND_Core/source/server/commands.lua

9 Likes

damn.

I wasn’t aware about most of these issues back when I wrote this. I will continuously work to improve the code and these issues will be fixed. Thank you for the feedback :slight_smile:

3 Likes

I’ll also try to be as constructive with this as I can. So please take this on the chin:

2 Likes

Thank you this will be helpful too :slight_smile:

Thank you so much for releasing something like this for FREE!!!

3 Likes

Looking very cool so far, though I will wait a bit perhaps for another version, pending some of the things mentioned from the other coders here! If there is an update planned sometime soon anyways <3

1 Like

Could you expand a little on this and maybe explain what makes this exploitable and what a fix might look like?

I stepped away from my computer about 6 months ago and haven’t touched it since, until yesterday, after spending about 3 months developing a sever…now I want to get back to it, but now I feel like a chunk of my brain is missing, trying to answer this myself. I know the information is up there, I just need my memory jogged.

No checks, so the client can give them however much money they want

1 Like

These events are all networked, so they can be triggered by the client. You can arbitrarily trigger server events and send any arguments you want through, so you can give out money and even kick any player from the server with the events here.

Yeah, @Andyyy7666 There are a ton of stuff that you need to re-look over, There are quite a few bugs within the framework.

Like for an example, When you go to re-select a character, If the Paycheck goes through when you are in the UI, the UI will disapear, and you will be left with nothing just a sky, and you need to relog in order for the framework to work again.

1 Like

simply , just never trust the clients

try to do everything on server if its possible

2 Likes

Thank you Andy this is very cool! I look forward to seeing the development of this once these security concerns are ironed out!

2 Likes

I believe that the safest thing is to create methods ( functions ) for everything, like AddItem, AddMoney, RemoveMoney. These important things should never be network events. And all these methods must belong to an object that can be shared to server-side scripts and then when you go to give money to a player, you must call an event that has checks on why the player is making money, something like:

-- simulating a shop event
RegisterNetEvent("MyShops:SellItem")
AddEventHandler("MyShops:SellItem", item)
  local _source = source

  -- Here you check if the player has the item and then remove from it.
  -- This is one of the possible safeguards that prevents a player from earning money without actually having the item.
  -- {...}
  local player = ND.GetPlayer(_source)
  player.AddMoney(amount)

end)

1 Like

The first issue, it’s pretty neat that any player can drop any other player if they wanted to

ND_Core/ND_Core/source/server/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · ND-Framework/ND_Core · GitHub

This has now been fixed by checking the source instead.

Two main things here, usually frameworks have player objects for two main reasons:

  • exposing direct db calls on events is not a very good idea, a bad actor can spam the shit out of it and lead to your server crashing.
  • GetPlayerIdentifier(player, 1) assumes that license will always be on that key, but it isn’t guaranteed.

ND_Core/ND_Core/source/server/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · ND-Framework/ND_Core · GitHub

I’ve now added a check here to make sure that the characters can’t go over the limit. This is now checked on the client and server.

I’ve also added this function where it always gets the license when I use GetPlayerIdentifierFromType("license", player)

Why are you using like here for license, when it should just be a regular check?
ND_Core/ND_Core/source/server/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · ND-Framework/ND_Core · GitHub

This is now fixed.

Basically, every line after this is exploitable
ND_Core/ND_Core/source/server/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · ND-Framework/ND_Core · GitHub

I will be working on moving the money stuff to the server tomorrow.

None of these events are checked at all, and they all send whatever arguments they’re provided to every user so a bad actor can fill it with a bunch of invalid data and spam every client.

    RegisterNetEvent("registerAop")
    AddEventHandler("registerAop", function(aopRegistered)
        aop = aopRegistered
        TriggerClientEvent("setAop", -1, aop)
    end)

I’ve now added a line to check for the Admin role. This also checks if the player is an admin when the command is triggered, so players using the command without the roles won’t be kicked.

Thank you for the feedback this helped fix stuff.

2 Likes

Ah, yea, okay…it’s coming back to me now…the server should never just accept values from a client. The server should always be doing the calculating and keeping track of any values . But in the case where the server needs to accept a value from the client, like when one player sends money to another player for example, then the server should first be verifying that the client actually has enough money before updating the database.

I don’t know how this basic logic escaped me… that’s embarrassing…

1 Like

will this work for FileZilla because I have my esx server from zap but I’ve been look for something like this

? Anything works with FileZilla. FileZilla is just an FTP program for transferring files

1 Like

Awesome work! Is this the only update scheduled in the near future? Or anything else immediately the in the works? As in within a week or two, if so I can wait for the next version. One question I have is if it will be seamless upgrades without losing characters/info in the future upgrades.

1 Like