RPC erroneously passes EncodedObjectAsId

[kiiada]

Godot version:
3.1.1

OS/device including version:

Windows 10 - client
Amazon linux on EC2 - server

Issue description:

An RPC function that previously worked in 3.0 was called with a reference to a node to translate the node to a preset position. RPC call failed as parameter received was of type EncodedObjectAsId.

Steps to reproduce:
Create a simple server/client architecture. Immediately after client joins and spawns a player object, attempt to use an rpc call to translate it to a new location

Minimal reproduction project:

[Faless]

@kiidmale this was changed due to: #27395 (breaking compat).
See the release notes of 3.1.1 and #27485 .
Basically, you now need to set the NetworkedPacketPeer allow_object_decoding property to true (as was originally intended, but never implemented correctly until now).
This is done for security reason, as decoding objects allows remote code execution.

[kiiada]

What is the recommended method of passing parameters to ensure that remote code execution attacks do not occur?

[Faless]

What is the recommended method of passing parameters to ensure that remote code execution attacks do not occur?

Do not allow object encoding, and only use built-in types for RPCs (e.g. String, Vector, PoolVector, Transform, Array, Dictionary, etc, except Object of course).

[kiiada]

Closing - appreciate the informative responses, @Faless