eval issue?

[tailsjs]

access to the eval command is best given to the owner of the bot, and not to all administrators.

what protections you stuck in eval can be bypassed with a simple

client["nekot".split("").reverse().join("")].split("").reverse().join("") // and then reverse it again

also you can use safe-eval module.

[TheCtkHoster]

access to the eval command is best given to the owner of the bot, and not to all administrators.

what protections you stuck in eval can be bypassed with a simple

client["nekot".split("").reverse().join("")].split("").reverse().join("") // and then reverse it again

also you can use safe-eval module.

What's wrong with Administrators able to use eval? Only DIBSTER and Artiom can use eval, and they are highly trusted, do you like not trust DIBSTER?

[jeweetzelfWasTaken]

ay it is just better to prevent the token from being stolen. artioms or dibs account could get hacked and they could just steal the token from the bot

[jeweetzelfWasTaken]

so i just suggest safe eval

[SpaceDevelopmentDC]

this bot is discontinued now ;-;

[JustArtiom]

The current bot version development has stopped a long time ago, but this would be a nice suggestion for the new version that will comming soon.

[tailsjs]

access to the eval command is best given to the owner of the bot, and not to all administrators. what protections you stuck in eval can be bypassed with a simple

client["nekot".split("").reverse().join("")].split("").reverse().join("") // and then reverse it again

also you can use safe-eval module.

What's wrong with Administrators able to use eval? Only DIBSTER and Artiom can use eval, and they are highly trusted, do you like not trust DIBSTER?

if you give eval to a bad person, he can kill your vds. i came across this code through the stars of my friend, so i don't know who is DIBSTER.

[tailsjs]

i also just showed that you should not make protections for eval, because you can think of millions of ways to bypass protections.

[SpaceDevelopmentDC]

dibster is a panel admin and administrator on artiom's hosting server

[JustArtiom]

I did this check (check for word token as input and the actual token on output) to prevent leaking the token accidentally

[DEV-DIBSTER]

dibster is a panel admin and administrator on artiom's hosting server

👆

[duckytutorials]

But, you could add a safe guard

like

if(`${message.content}==client.token`){
client.Send('No lol')
}

I don't know djs LOLOL

[jeweetzelfWasTaken]

this is basic js and that will always be true

[duckytutorials]

Orrrr, if they try execSync

make it send to a file like a fake one or if they use fs ofc

[jeweetzelfWasTaken]

But, you could add a safe guard

like

if(`${message.content}==client.token`){
client.Send('No lol')
}

I don't know djs LOLOL

and this is where a problem comes in: you can reverse it and then gain the token, so it's useless

frick autocorrect

[JustArtiom]

First of all, Only me and dibster got access to the bot's files and configuration (including token). Second of all, only me and dib got access to the eval command. Third of all I did that small check in eval.js to prevent accidental token leak. I don't see why to search for vulnerabilities and bypasses when you already got access to the files 🤷‍♂️

[SpaceDevelopmentDC]

First of all, Only me and dibster got access to the bot's files and configuration (including token). Second of all, only me and dib got access to the eval command. Third of all I did that small check in eval.js to prevent accidental token leak. I don't see why to search for vulnerabilities and bypasses when you already got access to the files 🤷‍♂️

true

[jeweetzelfWasTaken]

First of all, Only me and dibster got access to the bot's files and configuration (including token). Second of all, only me and dib got access to the eval command. Third of all I did that small check in eval.js to prevent accidental token leak. I don't see why to search for vulnerabilities and bypasses when you already got access to the files 🤷‍♂️

you could get hacked

[DEV-DIBSTER]

First of all, Only me and dibster got access to the bot's files and configuration (including token). Second of all, only me and dib got access to the eval command. Third of all I did that small check in eval.js to prevent accidental token leak. I don't see why to search for vulnerabilities and bypasses when you already got access to the files 🤷‍♂️

you could get hacked

I cannot comment on Artiom's Discord account security, but I can assure that my account is protected via 2FA authentication, the chances of my account being compromised is very very low.

That being said, if someone got my user token, yeah they could start dealing some havoc on my account.

I'll take this suggestion into consideration, but I also use the eval command for certain tasks like fixing user's server counts.

As of now, like Artiom mentioned, this will definitely be a good edition to the new in progress Discord Bot. This suggestion/PR will not be disregarded by any means.

[JustArtiom]

you could get hacked

You got a good point! I will try to increase the security of the eval command, But I won't use safe-eval since fs exists and it could read config.json.

But I will try to filter the output as much as possible. But anything I would do, there will still be vulnerabilities. A 100% SAFE EVAL DOESNT EXIST

the only way I could do a eval the safest is with 2fa 💀 like run eval command then send the 6 pin code sent on your email

Anyways, I'm not that interested in keeping safe the bot's token rather than making safe the panel api keys. Customer's privacy on top. Even if someone gets the bot token and raids the server that's better than someone raiding the panel and cause data breaches. It's more easier to create a new discord servers and invite everyone back than gaining the client's trust again and have bad feedbacks. :)

[jeweetzelfWasTaken]

Only if ppl have just access to eval cmd they can get all the clients' information from the panel right

[JustArtiom]

Conclusion: eval command is dangerous and I cant do anything about it, except remove it.

[SpaceDevelopmentDC]

like run eval command then send the 6 pin code sent on your email

💀

[DEV-DIBSTER]

LMAO, imagine me just getting a 2FA code just so I can use a discord command. 😂

[SpaceDevelopmentDC]

LMAO, imagine me just getting a 2FA code just so I can use a discord command. 😂

imagine...