search

DuckySoLucky / hypixel-discord-chat-bridge

A two-way chat bridge between Hypixel guild chat and a Discord channel. The application utilizes discord.js v14 for communicating with Discord, and mineflayer for communicating with Hypixel.
46 stars 31 forks source link

Message overflow allows users to execute any commands as bot user #168

Open DSSoftware opened 1 year ago

DSSoftware commented 1 year ago

What's the issue:

Slicing long messages for several messages allows possible unauthorized command executions.

How to reproduce:

Command like this 1234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234567891234/gc hey would execute command /gc hey as a bot, but it needs adjustments so it slices the message right at the end of the placeholder string and sends the payload as another message.

How to fix:

Simplest option is to remove slicing entirely OR add IGN > at the end of sliced string.

github-actions[bot] commented 1 year ago

This looks like your first issue! Thank you for bringing this issue to our attention. Expect a developer to comment within the first 3-5 business days of issue submission.

DSSoftware commented 1 year ago

Temporary solution

Strip all message contents after certain message length (still testing).

Example of overflow

image image

DSSoftware commented 1 year ago

Reason for unintended behavior:

Mineflayer Docs:

bot.chat(message) Sends a publicly broadcast chat message. Breaks up big messages into multiple chat messages as necessary.

DuckySoLucky commented 1 year ago

Heya, thanks gonna check that out once I'm free

DSSoftware commented 1 year ago

169 is done and should fix this issue.