The current implementation of the webhook allowed-mentions json value allows for webhooks to ping any role regardless of if that role has its ping permission set. This can lead to mass pings from malicious actors with no way to disable except by running directly through the bot without webhooks.
My recommendation would either be to check with the JDA bot for roles which can be pinged and explicitly allowing only those, adding configuration options to fully disable pings from users and/or roles, or both.
The current implementation of the webhook
allowed-mentionsjson value allows for webhooks to ping any role regardless of if that role has its ping permission set. This can lead to mass pings from malicious actors with no way to disable except by running directly through the bot without webhooks.My recommendation would either be to check with the JDA bot for roles which can be pinged and explicitly allowing only those, adding configuration options to fully disable pings from users and/or roles, or both.