Hello, this is a framework I’ve been working on for a bit now, It’s not perfect but it will be maintained and updated. This framework is inspired by DOJRP.

Video Preview:

Screenshots

Screenshot (868)1920×1080 83.5 KB

Screenshot (864)1920×1080 73.5 KB

Screenshot (866)1920×1080 82.6 KB

Screenshot (867)1920×1080 113 KB

Current addons:

• ND ID Card
• ND ATMs
• ND ShotSpotter
• ND DMV
• ND Jailing
• ND Doorlocks
• ND Banks
  
  

Comming soon:

• ND Hospitals (Finished: coming soon.)
• ND Blips (Finished: coming soon.)
• ND Interaction Menu (Work in progress)
• ND Robberies (Work in progress)
• ND Phone (Work in progress)
• ND MDT (Work in progress)
• ND Scoreboard (planned)
• ND Inventory (planned)
  
  

Download:

Documentation:

Dependency:

• OxMySQL

Updates:
1.0

• Fixed security vulnerabilities, I still gotta move the money system server-side and a couple more stuff. But for now, it’s pretty solid.

1.1

• Moved money system fully server-side, Created a shot spotter and an atm script.

1.2

• Full SonoranCAD integration.
• Made permission for departments easier to set up.
• Added an option to disable the money system.
• Added separate permissions for the AOP command.
• Added a priority script with the option to start it, stop it, and add a cooldown.
• Added an option to choose which department can see the priority cooldown.
• Added an option to choose which department can use and see the dark web chat command.
• More improvements & bug fixes.

1.3

• Bug fixes and optimization.
• New commands (view config)

1.4

• Bug fixes and optimization.
• Changes to the database table to support database sync with SonoranCAD.
• More exports (view the fxmanifest.lua or documentation for developers)

Not going to lie, I’m not entirely sure how this is classified as a framework yet.

The first issue, it’s pretty neat that any player can drop any other player if they wanted to

Two main things here, usually frameworks have player objects for two main reasons:

• exposing direct db calls on events is not a very good idea, a bad actor can spam the shit out of it and lead to your server crashing.
• GetPlayerIdentifier(player, 1) assumes that license will always be on that key, but it isn’t guaranteed.

Why are you using like here for license, when it should just be a regular check?

Basically, every line after this is exploitable

None of these events are checked at all, and they all send whatever arguments they’re provided to every user so a bad actor can fill it with a bunch of invalid data and spam every client.

damn.

I wasn’t aware about most of these issues back when I wrote this. I will continuously work to improve the code and these issues will be fixed. Thank you for the feedback

I’ll also try to be as constructive with this as I can. So please take this on the chin:

• You have a config that contains sensitive data, a bot token, that should never be on the client.
• As avarian pointed out, a lot of the events are subject to abuse.
• There is a questionable thread checking for permissions and some weird waits following it https://github.com/Andyyy7666/ND_Framework/blob/dd3062d164e90c6475e5685740caecdb2c2ba3e3/ND_Core/source/client/main.lua#L27 You should be checking for this stuff server side and not exposing them on client. You can just use a player joined event or network player active instead of this thread.
• Starting cash being on client is a poor idea as well

Thank you this will be helpful too

Thank you so much for releasing something like this for FREE!!!

Looking very cool so far, though I will wait a bit perhaps for another version, pending some of the things mentioned from the other coders here! If there is an update planned sometime soon anyways <3

Could you expand a little on this and maybe explain what makes this exploitable and what a fix might look like?

I stepped away from my computer about 6 months ago and haven’t touched it since, until yesterday, after spending about 3 months developing a sever…now I want to get back to it, but now I feel like a chunk of my brain is missing, trying to answer this myself. I know the information is up there, I just need my memory jogged.

No checks, so the client can give them however much money they want

These events are all networked, so they can be triggered by the client. You can arbitrarily trigger server events and send any arguments you want through, so you can give out money and even kick any player from the server with the events here.

Yeah, @Andyyy7666 There are a ton of stuff that you need to re-look over, There are quite a few bugs within the framework.

Like for an example, When you go to re-select a character, If the Paycheck goes through when you are in the UI, the UI will disapear, and you will be left with nothing just a sky, and you need to relog in order for the framework to work again.

simply , just never trust the clients

try to do everything on server if its possible

Thank you Andy this is very cool! I look forward to seeing the development of this once these security concerns are ironed out!

I believe that the safest thing is to create methods ( functions ) for everything, like AddItem, AddMoney, RemoveMoney. These important things should never be network events. And all these methods must belong to an object that can be shared to server-side scripts and then when you go to give money to a player, you must call an event that has checks on why the player is making money, something like:

-- simulating a shop event
RegisterNetEvent("MyShops:SellItem")
AddEventHandler("MyShops:SellItem", item)
  local _source = source

  -- Here you check if the player has the item and then remove from it.
  -- This is one of the possible safeguards that prevents a player from earning money without actually having the item.
  -- {...}
  local player = ND.GetPlayer(_source)
  player.AddMoney(amount)

end)

The first issue, it’s pretty neat that any player can drop any other player if they wanted to

ND_Framework/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · Andyyy7666/ND_Framework · GitHub

This has now been fixed by checking the source instead.

Two main things here, usually frameworks have player objects for two main reasons:

• exposing direct db calls on events is not a very good idea, a bad actor can spam the shit out of it and lead to your server crashing.
• GetPlayerIdentifier(player, 1) assumes that license will always be on that key, but it isn’t guaranteed.

ND_Framework/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · Andyyy7666/ND_Framework · GitHub

I’ve now added a check here to make sure that the characters can’t go over the limit. This is now checked on the client and server.

I’ve also added this function where it always gets the license when I use GetPlayerIdentifierFromType("license", player)

Why are you using like here for license, when it should just be a regular check?
ND_Framework/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · Andyyy7666/ND_Framework · GitHub

This is now fixed.

Basically, every line after this is exploitable
ND_Framework/main.lua at dd3062d164e90c6475e5685740caecdb2c2ba3e3 · Andyyy7666/ND_Framework · GitHub

I will be working on moving the money stuff to the server tomorrow.

None of these events are checked at all, and they all send whatever arguments they’re provided to every user so a bad actor can fill it with a bunch of invalid data and spam every client.

    RegisterNetEvent("registerAop")
    AddEventHandler("registerAop", function(aopRegistered)
        aop = aopRegistered
        TriggerClientEvent("setAop", -1, aop)
    end)

I’ve now added a line to check for the Admin role. This also checks if the player is an admin when the command is triggered, so players using the command without the roles won’t be kicked.

Thank you for the feedback this helped fix stuff.

Ah, yea, okay…it’s coming back to me now…the server should never just accept values from a client. The server should always be doing the calculating and keeping track of any values . But in the case where the server needs to accept a value from the client, like when one player sends money to another player for example, then the server should first be verifying that the client actually has enough money before updating the database.

I don’t know how this basic logic escaped me… that’s embarrassing…

will this work for FileZilla because I have my esx server from zap but I’ve been look for something like this

? Anything works with FileZilla. FileZilla is just an FTP program for transferring files

Awesome work! Is this the only update scheduled in the near future? Or anything else immediately the in the works? As in within a week or two, if so I can wait for the next version. One question I have is if it will be seamless upgrades without losing characters/info in the future upgrades.