[Bug] - esx_core- Setting Job

[HighLatencyy]

Describe the bug
Anyone can execute the following with a mod menu and get access to any specific job. Resulting in them able to access specific stuff in the server. This works for any version by the way.

To Reproduce

1. Set your job to for an example unemployed.
2. Run this code below on the clientside:

local function example()
    print("1") 
    Wait(100) 
    print("2") 
    Wait(8000) 
    TriggerEvent('esx:setJob', { name ="police", label = 'MEECH', grade = 13, grade_name = "boss", grade_label = "Chief of police" }) 
    Wait(10) 
    print("Executed")
end

RegisterCommand('test', function(playerId, args, rawCommand)
    example()
end)

3. Type /job, it will say on server that their job is unemployed, but on client they can access every 'Police' feature. This works for any job. That relies on the player data on client. For example; house breaching, armory, etc. Does not work on server side though.

Expected behavior
A way for cheaters to not be able to set their job.

Screenshots
None

Debug Info (please complete the following information):

• OS: Windows
• Artifact: 7290
• ESX Version: 1.10.5

Additional context
None

[Thekuca]

You can fix this vulnerability by using imports.lua in fxmanifest of the job and deleting esx:setJob handlers in client side.

[HighLatencyy]

You can fix this vulnerability by using imports.lua in fxmanifest of the job and deleting esx:setJob handlers in client side.

Wouldn't this break compatibility with most scripts?

[Thekuca]

You can fix this vulnerability by using imports.lua in fxmanifest of the job and deleting esx:setJob handlers in client side.

Wouldn't this break compatibility with most scripts?

No. This was used when es_extended didn't have imports.lua file. Now the imports.lua handles player data object updating with a GetInvokingResource() check to prevent lua executors (cheaters) from updating the object.
I am not sure why this event handler wasn't removed from ESX resources such as esx_policejob but i will talk with the team and it will sure be implemented soon.

[HighLatencyy]

You can fix this vulnerability by using imports.lua in fxmanifest of the job and deleting esx:setJob handlers in client side.

Wouldn't this break compatibility with most scripts?

No. This was used when es_extended didn't have imports.lua file. Now the imports.lua handles player data object updating with a GetInvokingResource() check to prevent lua executors (cheaters) from updating the object. I am not sure why this event handler wasn't removed from ESX resources such as esx_policejob but i will talk with the team and it will sure be implemented soon.

It works for any resource that has event I believe. Probably should be a priority as people can access anything a job because of this.

[Thekuca]

I agree, it will be implemented soon.