Skip to content

Security fix: ability to open any inventory #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
FjamZoo merged 1 commit into from
Sep 13, 2025
Merged

Security fix: ability to open any inventory #53

FjamZoo merged 1 commit into from
Sep 13, 2025

Conversation

@Maximus7474
Copy link

@Maximus7474 Maximus7474 commented Sep 13, 2025

Current ox_inventory version (v2.44.6) has a vulnerability where users can open any inventory bypassing all security checks.
This is due to there not being any validation made on the invType parameter within the openInventory function & callback.

As discussed with Linden ideal solution to allow customization with relative ease without needing to add inventory types to a separate registry, before opening another inventory check that the requested invType is equal to the inventory type. This will lead to false positives, but is only applicable to poorly created integrations where developers aren't paying attention to what they're passing as arguments.
Being that most occurrences of this would be due to people trying to exploit it, I kept the nice DropPlayer in there, can switch it to a warn log via ox_lib if judged to harsh or alter the reasons.

This can be replicated by adding the following code to demonstrate the lack of injection protection of fxserver by overriding the closeInventory function (preventing the inventory from closing due to failed security checks) and passing invalid arguments to the server to open any inventory.

RegisterCommand('injectshit', function()
    client.closeInventory = function() end

    -- 'valid_inv_id' can also be a number for targeting a player inventory
    --  'invalid_invType' can be any string excluding a used value for inventory types
    --     i.e. 'fuckwits_are_annoying', 'kek'
    --     but not 'trunk', 'player' obv...
    TriggerEvent('ox_inventory:openInventory', 'invalid_invType', 'valid_inv_id')
end)

@Maximus7474
fix(server): missing invtype check
49b4c7e 
-> allows users to open inventories by passing the incorrect invType regardless of distance and security checks
@FjamZoo
Copy link

FjamZoo commented Sep 13, 2025

I think keeping it as a DropPlayer is overall beneficial enough as there shouldn't really be any instances of this happening without poor development or straight cheater.

thanks for the pr boss

@FjamZoo FjamZoo merged commit a7927aa into CommunityOx:main Sep 13, 2025
This was referenced Sep 13, 2025
Open
Merged
Maximus7474 added a commit to Maximus7474/ox_inventory that referenced this pull request Sep 17, 2025
@Maximus7474
fix(server): oversight in security patch ( [PR 53](CommunityOx#53) ) …
20de346 
…which did not cover the type missmatch for temporary stashes
Maximus7474 added a commit to Maximus7474/ox_inventory that referenced this pull request Sep 17, 2025
@Maximus7474
fix(server): oversight in security patch (CommunityOx#53) which did n…
4164e19 
…ot cover the type missmatch for temporary stashes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FjamZoo FjamZoo FjamZoo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Maximus7474 @FjamZoo