Security of net.SendToServer()

I’m modifying my gamemode to use “net” since the original codebase goes back a few years.

In some places, however, I use concommand.Add() and use that as a way of receiving simple one-off commands for (for example) creating an organization, etc.

At the moment, I have a whole load of checking on all of that stuff to ensure that someone can’t provide invalid parameters, etc.

My question is: If I change those concommands to being “net” library calls, will I still have to re-validate the ranges of the parameters (much in the same way as a website has to perform server side validation)? The function would be called directly from the UI, so the values would be set to certain things there anyway and it is not run by any other means (I hope!)

Basically, are clients able to dick around with net.SendToServer() so that it now sends anything they like while running on a server? I’m assuming that they can - but maybe gmod has some kind of security mechanism whereby this is not normally possible. I saw that scriptenforcer is old and doesn’t apply any more, but does anything actually replace it?

If it is true that they can mess around with it, is it possible to mess with the types so that a WriteUInt(x, 16) becomes a WriteUInt(x, 32) and things get unaligned and potentially get my server out of sync?

Yes. Validate everything.

Any data from any client should be treated as if it has been tampered with. That’s a general rule of server-client networking

Check once on the client and check again on the server is how I do it

Useless, just check on the server. Also, the less the person knows about it’s inner workings, the better.

Not always, if it requires sending large amount of data it may be better to do preliminary check on client in case it’s really fucked up and just not waste bandwidth on sending ton of data that’s gonna be rejected anyway.

You’re checking to see if it has been tampered with, not to check if your own code messed up somewhere, and if someone has tampered with the with the out going message, I’m sure a couple clientside checks won’t be a problem. It’s a catch 22.

In my gPhone I check on the client to stop legitimate users from uselessly sending data to the server to be rejected, one less net message is fine with me. Serverside is mainly there to double check and catch anyone who tries doing bad stuff with clientside scripts

Clientside checks are fine just to save effort when you want to display an error. e.g. say you’re sending a value to the server that the client inputs from a menu. Say it is a number that must always be less than 500.

Of course you validate that the number is less than 500 serverside, but a clientside check which displays an error on the menu (red outline/message/whatever) is easier than going back and forth with the server.