Upon appending print(Cmdr:GetType("treasure")) at the conclusion of your server initialization script, what output does it generate in the output window?

Could you consider incorporating print statements within the module of your custom type to verify proper functionality?

Im having the same problem! Even though I followed every step. Can you guys help in any way?

evaera is the creator of Cmdr and continues to own the project. Myself and @COUNTYL1MITS are maintainers: we handle the general direction and oversee development of the project. We are both also moderators of evaera’s Discord server and handle that server’s Cmdr section.

Nobody “works” for Cmdr as it is an open source project and not a software product. Anyone may contribute to Cmdr, either by writing code, helping with issue (ticket) management, or providing support to users.

Warning: Using Cmdr

THIS HAS BEEN REPORTED TO THEM

Cmdr by evaera is a handy tool for quick command options, and I have used it in the past lots.

But today after a small conversation with some friends he mentioned a thought to be a theory, and I decided to test this theory.

To my discovery, there is a large lag vulnerability with Cmdr.

Proof

In this commit,

Removed reproduction and just screenshots. If you need more evidence I can provide

image990×89 74.1 KB

Also with the added new auto-complete on Roblox commands textchatservice that is a good option.

This was originally posted elsewhere but was removed by forum moderators, so I’m pasting my previous reply on this here:

This is an issue we are continuing to investigate. We have no reason to believe that there is an active risk to any game using Cmdr, and if you are experiencing issues like this you can get in touch with me directly.

This original post contains numerous errors and breaks rules for this forum category. It additionally is incredibly dangerous as it publishes what the author claims is a serious security vulnerability into the public domain.

This bug could occur with any part of any game, including in Roblox boilerplate (in fact there are several bugs just like this in core code). It is not a pressing or urgent issue, particularly given the dying nature of the Roblox exploiting community.

As with all open source libraries, you should aim to keep up-to-date. Once we have assessed this issue and provided any necessary fix, we will release a new version and announce it as usual. Unless we identify a specific security vulnerability, an advisory won’t be published.

We take security extremely seriously and when alerted previously to vulnerabilities have looked into them rapidly. As said, there is no threat, so we’re handling things a lot more calmly here. However, this situation has been a learning experience for us – particularly in the conduct of reporters – and so are working to develop a security policy and ensuring appropriate private reporting channels.

Since that post, we are currently working with an experienced researcher in addition to our core maintainer and user group team to identify the most effective solution to this problem, but we are treating it as a regular bug and not as a security issue in line with our newly-published Security policy.

This pull request introduces a new security policy. A security policy is necessary because:

• it shows to our users that we take security seriously and value reports- it makes it clear to reporters what we expect of them, how we’ll handle their reports, and how they can get in touch
• it makes clear to our users that they shouldn’t expect us to provide security fixes or support for older versions of Cmdr
• it explains to researchers and our users what we do not consider to be security issues

In the past few months, we’ve had at least two incidents where a user has attempted to report a security vulnerability by making a pull request or other public report (e.g. on an online forum or via our support channels). This policy will help prevent incidents like that.

Next steps

We should continue to consider the viability of email reporting and if we find a solution that works, implement it.

As part of the ongoing documentation works, we should create at least one article discussing security. This could include things like permission hooks, common support questions (like “can exploiters run my commands?”), but also discuss some aspects of Cmdr’s internals which may be noteworthy to security-focused users.

As said, we have no reason to believe that:

• any game is being targeted
• that any real vulnerability exists
• that this is anything unique to Cmdr

With that said, we are continuing to investigate. While we could bandaid fix this by simply changing the limit, that would not truly resolve the underlying ‘problem’ which exists; we are working on a longer-term fix that will minimise the potential for an attacker to take advantage of Cmdr.

We considered releasing a version with a lower character limit and then releasing a later version containing this longer-term fix, but as above to our knowledge there is no real vulnerability nor are games being targeted, and releasing lots of versions in a short time period could create update fatigue, which only harms our users and creates larger security risks in terms of patching real vulnerabilities.

I’d also like to briefly note that chat commands have always been an option for developers ever since the introduction of Lua chat :)   But even with the new auto-complete features, rich context – like argument autocomplete, instant typechecking – and various other features that Cmdr offers, such as embedded and meta-commands).

However, this is not relevant to this topic, which is to discuss and support users of the Cmdr library. We kindly ask that you remain on-topic and respect any exclusions or limits we’ve set. You should not, for instance, be discussing projects unrelated to or separate from Cmdr.

Denial of Service attacks are nothing new and they are usually not considered to be security vulnerabilities. Like I said in my original response:

This bug could occur with any part of any game, including in Roblox boilerplate (in fact there are several bugs just like this in core code).

My original responses already explain this adequately so there’s no need for me to go further in-depth. Your claims of this being a “critical design flaw” are simply wrong and I believe that I’ve exhausted every possible way to demonstrate how. I’m not going to respond to further trolling or unprofessional comments. :)

To be clear, we’ve identified a fix and are working behind-the-scenes on getting it implemented and released as soon as we can. There’s no rush since there is no real security vulnerability (as said in my original message) and everyone working on Cmdr is ultimately a volunteer (as said in our security policy).

(post deleted by author)

Someone’s game should not have a DDos due to your library.

DOS attacks can happen as long as you’re online. It doesn’t matter if you have installed Cmdr or not because its the internet connection between a malicious user and the server that opens the vulnerability, not Cmdr. The only way to avoid it completely is to not use the internet.

This isn’t even a ddos attack, its just cmdr using up the servers resources?

Again, there is no evidence of this attack being used in the real world, although you and your friends continued publication of it (in violation of the code of conduct, our security policy, and the forum rules) certainly doesn’t help.

As I have already noted, simply reducing the limit doesn’t fix the bug, otherwise we would’ve done so by now. I can’t go into specifics here at this time for obvious reasons, but reducing the limit is just a bandaid bug to something that isn’t even happening. We are working on a fix that will stamp this problem out for good, but it’s important we get it right and don’t create unnecessary update fatigue. Just as with your friend, you are ignoring what I’ve already said on this matter; I do not wish to come across as impolite but it does appear you both are seriously misunderstanding this issue and basic cybersecurity more generally.

We will make the fix soon and announce it as usual. If a real game is being attacked, we will reprioritise and get it out urgently.

There is no need for end users to change the Cmdr source to lower the limit as even if they are being attacked, a lower limit does not solve the root cause of the issue.

I’m not going to further respond to you or your friends’ comments on this matter expect to reinforce what has already been said and to call out disinformation.

If you have so many things to say about the work of these talented developers, go and make your own command console! Her response was clear, don’t be annoying about it.

Any update on this? Looked at commits and looked like another bandaid patch with the limit.

Second this, didn’t you guys say you were working on an actual patch?

Quote from Autos reply:

image695×45 6.25 KB

This post is in response to the above two replies and their authors’ general pattern of behaviour and comments

On the bug and what was changed

We conducted an investigation into this issue and identified that the bug cannot crash servers, but it would grind the exploiting client to a halt (a non-issue). However, it would cause some performance impact (notably, occasional freezing for about a second – usually every 30-60 seconds) for other players.

This impact was minor, but we found that decreasing the internal limit from 100,000 to 10,000 entirely removed this freezing, so we felt this was a common-sense solution.

The confidential report we had, in accordance with our security policy, that identified a larger issue was incorrect but still helpful. We thank that reporter for working with us to identify the root cause and the best way forward, and – crucially here – for complying with our security policy and industry best practice, unlike noahrepublic.

Why it wasn’t announced

These findings, and the change, were not publicised in accordance with our security policy. We do not want to advertise this to potential exploiters and while @noahrepublic and @jake_4543 both have made this hypothetical issue well-known, any type of announcement or acknowledgement would only broadcast it further. It is also for this reason why the commit was made with an opaque message and as part of a bundle of several commits made straight to master.

Why hasn’t it been released

We have no reason to believe that this has been used in a real attack against a real game. We have no reason, at this time, to believe that may change.

This will be released as part of our next feature update, which we will release properly and normally. The new update will be accompanied by refreshed documentation and website, and various other quality of live improvements for users and developers.

Our plans, including contingencies, have not changed. If we identify a real attack has occurred, we will aim to work with the developers of that game to mitigate the situation. If there are multiple games being attacked, we’ll backport this fix onto the currently released version, and release a patch.

This is a costly process however and can create update fatigue. If we release a new update and then another update only weeks (probably less) later, it may cause developers to avoid using the newest Cmdr version which has more adverse impacts on security and reliability.

I’m sure this half of my post will resonate to anyone who has maintained any type of vaguely-notable open source project or read the accounts of someone who has, especially in the Roblox community.

Warranty

Cmdr’s license has been MIT since it was released. The MIT license, in all caps, states:

The software is provided "as is", without warranty of any kind

It goes on to assert this point. This is blunt but I think it needs to be spelled out explicitly: nobody has any right whatsoever to updates or any type of support. We, and our community, volunteer their time to help people, but that is a privilege that may be taken away and is not a right that can be relied on.

Cribbing from some recent writing I’ve done for the project: Cmdr itself is over five years old, some of the older parts of the code (like the interface) are even older. By the end of this month, it’ll have been half a decade since Cmdr 1.0.0 released. However, Cmdr has stood the test of time and is trusted on games with billions of visits earning millions of dollars worth of revenue.

Volunteer

Myself and @COUNTYL1MITS have been offering support in the cmdr-help channel for roughly four years. Eryn has offered updates and new features for Cmdr for years, until three months ago when she decided she no-longer wanted to maintain it, and Wil and I became co-maintainers. The alternative was that Cmdr be archived and simply not maintained at all.

Me and Wil are not paid for this and never have been. Eryn has a Patreon page but that is primarily funded by, and is for, RoVer development.

I personally volunteered to maintain Cmdr for altruistic reasons, I don’t doubt that Wil – with his six thousand messages in the cmdr-help channel and forty posts in this thread – volunteered for the same. Our mission as maintainers is to keep Cmdr stable and up-to-date as the Roblox platform ages with it, while improving it to make it even better.

Again, this is something we are not paid for and – as is the nature of open source – is a thankless job. And, crucially, this is something we volunteer to do, it is not our job.

As part of that mission to keep Cmdr stable, we take its security very seriously. It’s why we have developed and published a security policy and will genuinely care to any legitimate, appropriate and professional report.

We do not volunteer to have to put up with any type of harassment or undue pressure whatsoever and we will not tolerate it.

Conduct

This section is an open letter to @noahrepublic and a lesser extent @jake_4543, but has been written in the same tone (i.e. not addressing anyone) as the rest of the post.

When noahrepublic made his report late in the evening (for me) on the 23rd of August (which btw: was only a few days after my birthday; I had an extremely sensitive medical appointment earlier that day; and I had plans for the following day) alleging that exploiters could “lag out servers”, I was alarmed and my attention was caught immediately.

I asked if this is something that was happening in a real-world game and was told it wasn’t. I presumed that it was, therefore, unlikely for this to be a real issue; that denial of service and “crashing” bugs can occur anywhere and exist in Roblox-wide code; but that I would still investigate and we would get any issues fixed.

On the 25th (a day where I was mostly out of the house on errands), we had received this confidential security report I mentioned. noahrepublic had also publicised this security vulnerability at this point and refused to take it down, offering a non-solution which would not have solved the issue and commenting:

It’s not really hard to figure out the exact steps. It works on literally any command that takes string parameter maybe even any commands haven’t tested. Furthermore, if someone is deciding whether to use it it would be a fair warning. Considering there is better options like Roblox’s default command system. Which just got auto complete.

He then followed, describing Cmdr as being poorly designed. A community member asked him to not continue publicising this vulnerability until we could investigate it and understand its scope (it’s important to remember that he believed this was a serious, game-breaking bug) to which he responded:

Sounds like a consequence for design actions.

What kind of warning is it if I go and say “yeah this exists… but no way of proving it does just gotta trust me.”

I will remove specific command reproducing but will keep the statement where it is in that commit.

noahrepublic continued arguing with community members in a toxic way, berating those members as well as the authors of Cmdr, and spreading misinformation. He was banned from the server with the message:

Your conduct as a reporter has been inflammatory, immature, destructive and is not appropriate for the professional development of open source software. We have therefore decided to exclude you from future involvement in the project; this means you must leave and not attempt to join in Cmdr related spaces, including this server, our DevForum thread, or GitHub.

In other words, we asked him nicely to leave us alone and let us investigate. The message also noted that a written-up response to his report would be made public once testing had been conducted.

Within no more than a few hours after noahrepublic’s ban, jake_4543 (a friend of noahrepublic) had joined our server. On the 26th of August, he asked if there was an update on the fix. He had claimed that it was an issue affecting his game, and when asked for a link took a while to provide a link to a testing baseplate, not an actual game.

Up until this point, both users had been making spamming and harassing comments on the DevForum, mostly contained with misinformation on the situation, such as:

To my discovery, there is a large lag vulnerability with Cmdr. Someone’s game should not have a DDos due to your library.

Many of these posts have since been abridged or deleted.

The next morning, testing had been conducted which is described in the first section of this post. In other words, we found the reported bug was a non-issue, and were discussing the way forward internally (whether that be to introduce leaky-bucket rate limiting or to lower the character limit and see what happens).

We decided on lowering the character limit and this change was made on the evening of the 27th.

Today, the 2nd of September, both noahrepublic and jake_4543 made comments asking for updates on the situation, describing our fix as “another bandaid patch” and asking in our help channel “how come this was put in place whilst eleanor said it was a mainly client side ping issue, or did you find it also lagged the server?”. Also today, both were asked privately to be mindful of their behaviour and to refrain from interacting with us and others, and both responded immaturely and impertinently.

In summary, noahrepublic has engaged in a pattern of harassing and abusive behaviour towards Cmdr maintainers and contributors, and has been blocked, banned and excluded for this. This pattern of behaviour became coordinated when his friend and colleague, jake_4543 became involved with his ‘cause’.

This is something that is completely unacceptable and we will not tolerate it. We have sought thus far to engage in discreet and cordial solutions, such as nicely asking for misinformation and reproduction instructions to not be posted publicly, and have only been met with further hostility.

It is something that we have became increasingly tired of and this is ultimately the straw that has broken the camel’s back.

And to be abundantly clear I will address directly here: you have orchestrated a campaign of harassment and misinformation about Cmdr and it’s maintainers. I hope that the above has explained to you adequately why we have felt the need to publicly instruct you that you both, and anyone acting on your command, must never interact with the Cmdr project, including:

• in our official help channels

• on our GitHub page

• through our official DevForum threads

• any of our other places that we officially occupy, currently or in the future

You also must not interact or attempt to interact with us, the maintainers for any reason.

Any contact whatsoever will be treated as further harassment and — no matter the content — will be ignored and reported to the platform

I am genuinely astonished that, when I volunteered to co-maintain Cmdr, that any situation like this would ever occur, let alone that I would have to be writing an open letter to demand someone stops harassing us.

If either of you feel a need to comment or apologise, I appreciate it but direct you to the above: we do not want any further contact whatsoever from you.

This was originally going to be the end of the post but I felt like leaving on such a note would be negative for anyone reading, so here’s what will be in the next Cmdr update:

• Command-specific guards, which would allow you to restrict specific commands behind some requirement in a reusable way (instead of repeating logic across functions or bloating hooks with this type of stuff)

• teleport built-in command will jump players if they’re seated

• help built-in command will become more helpful with cmds and commands aliases, and will display a command’s group (if set)

• A range of minor improvements, bug fixes, and internal tweaks

• An entirely rebuilt Cmdr website with new API documentation written from scratch

We have no plans to rush any of this: quality over quantity (plus, you know, the whole volunteer thing). The current version of Cmdr is suitably stable. If the “bug” which sparked this whole debacle is abused on any scale, we will backport a fix for it into the current version. Otherwise, I look forward to being able to announce Cmdr Version 1.13 once it’s ready.

Multiple of us are blocked from creating issues in the repo for no reason, is it fine if we do it here instead of the repo?

You guys say, that “to report it in the discord server or on the github”, but we all are either blocked and/or banned from the discord server for some stupid reason, just to kick us out because you know we’re right. I have some issues I’m willing to report that I found with Cmdr, but I struggle to report them as I’ve been banned and blocked from the discord server, and the Github for no apparent reason. If need be, we can talk about this in depth, in private messages to hopefully clear some stuff up.