search

kiwiirc / irc-framework

🛠️ A better IRC framework for node.js. For bots and full clients.
MIT License
181 stars 64 forks source link

possible security issue: event.reply does not split message by newline #244

Closed proton-ab closed 4 years ago

proton-ab commented 4 years ago

Calling event.reply with a message like Hello World\nQUIT will cause irc-framework to pass the input straight to sockets, which in turn will split its input by newlines, resulting in IRC server receiving two lines from client: PRIVMSG #dev :Hello World and QUIT.

The underlying function responsible for handling reply to events will properly split messages and append appropriate prefix (PRIVMSG #dev in previous example) for lines that are above threshold length, however it does not do such thing for messages that explicitly contain \n in them.

This might lead to possible remote command execution in implementations utilizing event.reply to send untrusted data. Simplest example would be a bot fetching link title for web pages.

prawnsalad commented 4 years ago

Thanks for the report, now fixed in https://github.com/kiwiirc/irc-framework/commit/24be97dbe2160a679e905d95b45c5461ab173b61