search

poshbotio / PoshBot

Powershell-based bot framework
MIT License
540 stars 108 forks source link

Certain characters like ampersand are not decoded before executing a command #108

Closed RamblingCookieMonster closed 6 years ago

RamblingCookieMonster commented 6 years ago

If you run a command that includes &, for example... !u -ldapfilter '(&(some=query)(some=query))', PoshBot will try to execute the code with \u0026amp; rather than &.

This may be limited to the Slack back end. Haven't dug too deep.

Expected Behavior

PoshBot decodes input messages to allow characters like &

Current Behavior

Example logs:

{"DataTime":"2018-09-13 14:44:45Z","Class":"SlackBackend","Method":"ReceiveMessage","Severity":"Normal","LogLevel":"Debug","Message":"Received message","Data":"{\"type\":\"message\",\"user\":\"REDACTED\",\"text\":\"!u -ldapfilter \\u2018(\u0026amp;(samaccountname=wframe)(samaccountname=wframe))\\u2019\",\"client_msg_id\":\"dce5fefc-da82-4841-9737-cdcfa2a017ea\",\"team\":\"REDACTED\",\"channel\":\"REDACTED\",\"event_ts\":\"1536849885.000100\",\"ts\":\"1536849885.000100\"}"}
{"DataTime":"2018-09-13 14:44:45Z","Class":"Bot","Method":"HandleMessage","Severity":"Normal","LogLevel":"Debug","Message":"Parsed bot command","Data":{"Plugin":"","Command":"u","Version":"","NamedParameters":{"ldapfilter":"(\u0026amp;(samaccountname=wframe)(samaccountname=wframe))"},"PositionalParameters":[],"Time":"\/Date(1536864285000)\/","From":"REDACTED","FromName":"wframe","To":"REDACTED","ToName":"","CommandString":"u -ldapfilter ‘(\u0026amp;(samaccountname=wframe)(samaccountname=wframe))’","OriginalMessage":{"Type":1,"Subtype":0,"Id":null,"Text":"u -ldapfilter ‘(\u0026amp;(samaccountname=wframe)(samaccountname=wframe))’","To":"REDACTED","ToName":null,"From":"REDACTED","FromName":"wframe","Time":"\/Date(1536864285000)\/","IsDM":true,"Options":null,"RawMessage":{"type":"message","user":"REDACTED","text":"!u -ldapfilter ‘(\u0026amp;(samaccountname=wframe)(samaccountname=wframe))’","client_msg_id":"dce5fefc-da82-4841-9737-cdcfa2a017ea","team":"REDACTED","channel":"REDACTED","event_ts":"1536849885.000100","ts":"1536849885.000100"}}}}

Possible Solution

Sorry, just recording this for now, will be back!

Steps to Reproduce (for bugs)

Create a command that takes a string parameter. Give it a value with &, and check the logs

Context

Certain queries and parameter values require an & among (presumably) other characters that might not be decoded

Your Environment

PoshBot v0.10.0 (sorry, behind!)

devblackops commented 6 years ago

Thanks @RamblingCookieMonster. This should be fixed now in 975f06be40c8e5c1874586edb49e70f31d91a155.

devblackops commented 6 years ago

Actually use fb03c451652ed16db1ed99382d278073960860d8

devblackops commented 6 years ago

Fixed in https://github.com/poshbotio/PoshBot/commit/fb03c451652ed16db1ed99382d278073960860d8