-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
State bags set on the server do not respect replicated flag #2438
Comments
Simply using: Player(source).state:set("test", "hi", false) works as expected and does not replicate the state bag value to any client. (Same for entity state bags) So there have to be other factors to make this not work as expected. |
iirc this requires you to send a replicated value afterwards and/or re-enter the entities/player scope. The underlying implementation for state bags doesn't have anything to respect the replication flag sent by the caller after the first call fivem/code/components/citizen-scripting-core/src/ResourceScriptFunctions.cpp Lines 320 to 340 in b5ed6d6
fivem/code/components/citizen-resources-core/src/StateBagComponent.cpp Lines 175 to 178 in b5ed6d6
fivem/code/components/citizen-resources-core/src/StateBagComponent.cpp Lines 234 to 269 in b5ed6d6
|
Looking at @AvarianKnight's repro from the initial issue: Simply waiting a few ticks after entity creation correctly applies the replication state to the state bag key. For example, waiting (This also works if setting a replicated state bag key on the same entity afterwards.) |
This ties into the original issue of
When the state bag is initially created it doesn't send the updates to anyone until the client has said that it has the entity created, this will call fivem/code/components/citizen-server-impl/src/state/ServerGameState.cpp Lines 1815 to 1826 in b5ed6d6
|
Verified exactly what you just described: |
Thanks both for the much more detailed insight into the issue than I would have been able to provide!
This particular issue is the one that alerted me to the problem, delaying the set operation in this instance won't provide a valid mitigation (at least for Player state) because the players within a users scope is subject to change at any time. I assume this doesn't affect states set on the client side which are set to not replicate by default? Or are they also affected by the underlying implementation not respecting replication flags post creation/first call? |
* Previously, we didn't keep track of the replication state of a sbag key, resulting in sending all sbag data when a client entered the scope of an entity/player (regardless of the replication state). * We now store the replication state of a sbag key and check if we should replicate its data when sending all sbag data to the client. Fixes citizenfx#2438
* Previously, we didn't keep track of the replication state of a sbag key, resulting in sending all sbag data when a client entered the scope of an entity/player (regardless of the replication state). * We now store the replication state of a sbag key and check if we should replicate its data when sending all sbag data to the client. Fixes citizenfx#2438
What happened?
As reported originally back in 2021 by @AvarianKnight here https://forum.cfx.re/t/server-side-entity-state-bags-sync-when-replicate-is-false/2313177 and seems it was never opened here.
I ran into this issue and did some research and found the original report.
I would argue that this is a security issue because currently when scripting developers are setting this value to be false there could be an expectation that its working correctly, therefore data stored with the intent to not replicate in fact is replicating which would be a data security issue.
Expected result
It should respect the replicated flag being set to false and not replicate the state to the clients.
Reproduction steps
There is also a reproduction script in @AvarianKnight's original report.
Importancy
Security issue
Area(s)
OneSync
Specific version(s)
FiveM, Server 7752, Linux
Additional information
No response
The text was updated successfully, but these errors were encountered: