sanitize user input - Githubissues

Sparker-99 / Admin-bot

A small discord bot to interact with IW4M Admin's api and execute commands from discord

MIT License

18 stars 14 forks source link

sanitize user input #11

Closed NotSugden closed 1 year ago

NotSugden commented 1 year ago

https://github.com/Sparker-99/Admin-bot/blob/ffc75a74c7a83ea5716c5a5eb632c47536ad0cc6/commands/slash/Modals/login.js#L51

The user can modify the JSON sent to the server and make it invalid JSON or send other data to the server that was not intended because the user input is not sanitized

Example: User types in ", "my_custom_json_value": "poo as their password and then the json

{
  "password": "",
  "my_custom_json_value": "poo"
}

is sent to the server

INSANEMODE commented 1 year ago

Should be resolved in d7289c9b2dd2bbe5f2066293a79d80be1f99ef6e .

The iw4m-admin api endpoint that is used here does ignore data other than client id and password, but things like invalid json could definitely be an issue.

https://github.com/RaidMax/IW4M-Admin/blob/7570749aa50a29b36ff995c9d4d1f98bff22edef/WebfrontCore/Controllers/API/ClientController.cs#L85