Question: I wanted to potentially send a list of 5 or so vector3’s to the server for some validation, log aggregation and storage. Is there a safe way to do it?
Since client can manipulate client script, there’s nothing in theory stopping the player from turning a list that should contain ‘n’ elements to n + infinity elements. If that happens, and the client tries to send that over to the server, I feel like the server will…well, die, right?
Is there any way to pre-validate that the data going to the server is structured and sanitized BEFORE ingesting? Otherwise, it’d be a super huge filestream bogging the server, no?
Am I wrong, or am I wrong?
What do you think?
I don’t know the exact limits but the client will likely get a “network overflow” error and get kicked similar to the message you’ll get when sending way too many events in a short time frame.
Apart from that you cannot prevent a client from triggering events with arbitrary data. There will probably always be some way that they’ll be able to do so.
But if you know on server side that you need exactly 5 vector3s’ then check that on server side before using the client’s data (never trust a client anyways).
If you need to send huge amounts of data deliberately, then you can use the latent events.
1 Like
Not huge events, but I don’t trust that the client won’t try to make it huge (if that makes sense).
E.g. Supposed to send 5 v3’s, client sends 100 - The server still has to ‘accept’ that data right?
Geez. Im just realizing that (based on what you said), all of my server events are ‘vulnerable’ to this…
Okay. I’ll just continue as normal and pray no one sends just the right happy medium of not large enough to get kicked, but large enough to do damage.
You think there’ll be any plans to add some sort of event-based data-size threshold specification? Shall I add to the ideas board?
(at least in Lua) events are executed in their own thread. Meaning if there is an error, it does not affect other parts of a script. So if a client sends e.g. a string instead of a number there will probably just be an error on server side and nothing else happens. Though that entirely depends on how you build your events.
I usually check for clean parameters on security critical stuff and throw an error (mostly using assert in Lua), e.g. entering stuff into the database or adding something to a table that needs to be a certain variable type.
For events where it is “not security critical”, I usually leave it as is. Case by case basis though…
I’'m really into doing every little thing on server side if possible, so the number of necessary client ↔ server stuff is limited to basics.
Just as an example of a “server based” input system:
RegisterKeyMapping → TriggerServerEvent (without any parameters) → Server handles everything from there
This way it doesn’t matter what a user sends. Position, player state etc is all on server side anyways (of course there are still some exceptions here).
But let me tell you this:
You will never be 100% secure. Don’t overdo it with security measures. Finish your project while thinking about actual vulnerabilities in your code itself.
If someone manages to break something, then you can look into preventing whatever he did. Otherwise you’ll never get anything done… Been there, done that hahaha
1 Like
This is the 6th time my post went pending…let’s try this…
Edit:
It’s like you’re speaking directly to my brain. Regarding doing as much as is possible server sided, I tried to (hence my schpiel from my comment on my “statebags” forum post I created (I had to remove the hyperlink because I got into pending AGAIN)
Long story short, I need to compute distance checks for a scoring mechanism, but from my testing, it’s not a good idea to run threads server sided that checks every frame (even if just temporarily) - So I can’t run threads to update coords for specific clients. And I can’t use time due to variations in performance like vehicle speed which could cause race conditions.
So I’ve decided that I have to send the data back to the client for computation, collect a buuuncha samples, then either average out or pick a random value.
This way if they’re cheating their score accuracy, I’d be able to see it / log it. I just thought of that second idea in terms of cheating and thought to bring it up before banking on it…
In other words, trust me…truuuust me - If I could, I’d 1000000% run the rest of my validation code on the server as the client isn’t needed anymore…
1 Like