Secure RpcMessage against SenderClientId spoofing

xmanning · web-flow · commit 698fd2de5b2c · 2025-09-27T16:26:57.000-04:00
When a server receives an RpcMessage, it should update the SenderClientId to match the SenderId provided by the messaging manager. This is to prevent modified clients from spoofing their SenderClientId as other clients.
diff --git a/com.unity.netcode.gameobjects/Runtime/Messaging/Messages/RpcMessages.cs b/com.unity.netcode.gameobjects/Runtime/Messaging/Messages/RpcMessages.cs
@@ -196,6 +196,12 @@ public unsafe bool Deserialize(FastBufferReader reader, ref NetworkContext conte
 
         public void Handle(ref NetworkContext context)
         {
+            var networkManager = (NetworkManager)context.SystemOwner;
+            if (networkManager.IsServer)
+            {
+                SenderClientId = context.SenderId;
+            }
+            
             var rpcParams = new __RpcParams
             {
                 Ext = new RpcParams

Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,12 @@ public unsafe bool Deserialize(FastBufferReader reader, ref NetworkContext conte`
`196`	`196`
`197`	`197`	`public void Handle(ref NetworkContext context)`
`198`	`198`	`{`
	`199`	`+ var networkManager = (NetworkManager)context.SystemOwner;`
	`200`	`+ if (networkManager.IsServer)`
	`201`	`+ {`
	`202`	`+ SenderClientId = context.SenderId;`
	`203`	`+ }`
	`204`	`+`
`199`	`205`	`var rpcParams = new __RpcParams`
`200`	`206`	`{`
`201`	`207`	`Ext = new RpcParams`