[SOLVED] Security risks

[xTimPugz]

Hello

 

I seriously care about security for the mods I code so players do not get an unfair advantage.

Something keeps spooking my mind, how does networking actually work?

Can't someone just edit a mod and change the piece of code so the client can excecute server code and so manipulate for instance his/her location or where he / she is looking/shooting at?

 

EDIT: I will post my code on GitHub soon, open source is great!!

 

Thank you for the responses that I am sure will come! ( )

 

[imadnsn]

Well the first rule of any network based application is to "never trust the data from the client side".

Minecraft handles everything important on the server side, sending packets to the clients with the changes so the client render and do client-sided stuff. If the client wanted something to happen it sends network packets of the specifics that the server should handle, those packets usually cannot contain harmful information because the server only accepts certain packets and handle them according to their type.

 

Let's say the player on the client clicked the keybind for jump, the client sends a packet to the server that the jump keybind has been pressed. The server will recognize the packet as a keybind packet and handle the code so that the player would jump on the server, then it sends back the new position to the client so it would render the player position

 

Client packets can be manipulated by external sources, resulting in things like fly hacks. However, the server still is in control of all what it does, and how information is handled is up to the implementation.

 

In the case of multiplayer, the client is on the player's PC but the server is somewhere else on the net, it is impossible to force the server to execute code. The only way to change anything is using the packet system, and like I said, the server only handles the packets it knows how to handle.

[xTimPugz]

That does actually make a lot of sense!

I am also guessing the Forge (Or pretty much any Minecraft server software) kind of.. Protects us against the client forcing code to execute?

 

Thank you!

[imadnsn]

Well not really, the thing is it's all about the implementation of the handling. If a mod decided to destroy the world when a client presses a button it will happen, but that's because it was hard-coded to do so. However, the way Minecraft works really gives the client little chance to do things. Almost everything that happens in the world where direct player interaction isn't needed (such as ticking tile entities) happens automatically on the server side.

As a modder, one must always consider the first rule when handling packets, don't let the client be in control of doing big things directly.

[LexManos]

Note: Get your terms correct here, Nothing in Forge/Minecraft allows remote code execution. As in, The client can't send any code to the server and have it run it.

HOWEVER, Minecraft is rather horrible in it's 'security' when validating who can do what and when. So there are a lot of 'hacks' out there that let you do things you shouldn't do.

This is simply Minecraft being poorly written from the get-go.

However, its nothing serious so we don't care. "Oh look you can fly around for a while, good for you!"

[xTimPugz]

Thank you for the correction.

 

Great replies, I will mark it as solved now.

 

Regards